b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n             Information Technology Management\n              Letter for the FY 2010 DHS Financial\n                         Statement Audit\n\n                          (Redacted)\n\n\n\n\nOIG-11-103                                           August 2011\n\x0c                                                                                Office of Inspector General\n\n                                                                     u.s. Department ofHOllleland Security\n                                                                                    Washington, DC 25028\n\n\n\n\n                                                                      Homeland\n                                                                      Security\n                                        AUG 18 2011\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office ofInspector General (OIG) was established\nby the Homeland Security Act of2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe department.\n\nThis report presents the information technology (IT) management letter for the FY 2010 DHS\nfinancial statement audit as of September 30,2010. It contains observations and\nrecommendations related to information technology internal control that were summarized\nwithin the Independent Auditors\' Report, dated November 12, 2010 and represents the separate\nrestricted distribution report mentioned in that report. The independent accounting firm KPMG\nLLP (KPMG) performed the audit ofthe DHS\' FY 2010 financial statements and prepared this\nIT management letter. KPMG is responsible for the attached IT management letter dated April\n26,2011; and the conclusions expressed in it. We do not express opinions on DHS\' financial\nstatements or internal control or conclusion in compliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                     Assistant Inspector General\n                                     Information Technology Audits\n\x0c                                KPMG LLP\n                                2001 M Street, NW\n                                Washington, DC 20036-3389\n\n\n\n\nApril 26, 2011\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nU.S. Department of Homeland Security\n\nChief Financial Officer\nU.S. Department of Homeland Security\nWe were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2010, and the related statement of custodial activity for the year\nthen ended (referred to herein as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were also engaged to examine the\nDepartment\xe2\x80\x99s internal control over financial reporting of the balance sheet as of September 30, 2010,\nand statement of custodial activity for the year then ended. In connection with our audit engagement,\nwe also considered DHS\xe2\x80\x99 compliance with certain provisions of applicable laws, regulations,\ncontracts, and grant agreements that could have a direct and material effect on the balance sheet as of\nSeptember 30, 2010 and the related statement of custodial activity for the year end. We were not\nengaged to audit the accompanying statements of net cost, changes in net position, and budgetary\nresources, for the years ended September 30, 2010 (referred to herein as \xe2\x80\x9cother fiscal year (FY) 2010\nfinancial statements\xe2\x80\x9d), or to examine internal control over financial reporting over the other FY 2010\nfinancial statements. Because of matters discussed in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 12, 2010, the scope of our work was not sufficient to enable us to express, and we did not\nexpress, an opinion on the financial statements.\n\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect and\ncorrect misstatements on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control over financial reporting that is less severe than a material weakness,\nyet important enough to merit attention by those charged with governance. A material weakness is a\ndeficiency, or a combination of deficiencies, in internal control over financial reporting, such that\nthere is a reasonable possibility that a material misstatement of the entity\xe2\x80\x99s financial statements will\nnot be prevented, or detected and corrected on a timely basis.\n\nDuring our audit engagement, we noted certain matters in the areas of access controls, configuration\nmanagement, security management, contingency planning, and segregation of duties with respect to\nDHS\xe2\x80\x99 financial systems Information Technology (IT) general controls which we believe contribute to a\nDHS-level significant deficiency that is considered a material weakness in IT controls and financial\nsystem functionality. We also noted that in some cases, financial system functionality is inhibiting\nDHS\xe2\x80\x99 ability to implement and maintain internal controls, notably IT applications controls supporting\nfinancial data processing and reporting. These matters are described in the IT General Control and\nFinancial System Functionality Findings section of this letter.\nThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 12, 2010. This letter represents the separate limited distribution report mentioned in that\nreport.\n\n\n\n                               KPMG LLP is a Delaware limited liability partnership,\n                               the U.S. member firm of KPMG International Cooperative\n                               (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cAlthough not considered to be a material weakness, we also noted certain other items during our audit\nengagement which we would like to bring to your attention. These matters are also described in the IT\nGeneral Control and Financial System Functionality Findings section of this letter.\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand are intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to you.\nWe have not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key DHS financial systems and IT infrastructure within the scope of the FY 2010 DHS\nfinancial statement audit engagement in Appendix A; a description of each internal control finding in\nAppendix B; and the current status of the prior year NFRs in Appendix C. Our comments related to\nfinancial management and reporting internal controls have been presented in a separate letter to the\nOffice of Inspector General and the DHS Chief Financial Officer dated February 1, 2011.\n\nDHS\xe2\x80\x99s written response to our comments and recommendations has not been subjected to auditing\nprocedures and, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of\nInspector General, U.S. Office of Management and Budget, U.S. Government Accountability Office,\nand the U.S. Congress, and is not intended to be and should not be used by anyone other than these\nspecified parties.\n\n\nVery truly yours,\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n             INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                       TABLE OF CONTENTS\n\n                                                                                                     Page\n\nObjective, Scope and Approach                                                                         1\n\nSummary of Findings and Recommendations                                                               2\n\nIT General Control Findings and Recommendations                                                       3\n\n       Access Controls                                                                                3\n\n       Configuration Management                                                                       4\n\n       Security Management                                                                            4\n\n       Contingency Planning                                                                           5\n\n       Segregation of Duties                                                                          5\n\nFinancial System Functionality                                                                        5\n\nManagement Comments and OIG Response                                                                  6\n\n                                           APPENDICES\n\nAppendix                                           Subject                                           Page\n   A        Description of Key DHS Financial Systems and IT Infrastructure within the Scope of the    7\n            FY 2010 DHS Financial Statement Audit\n\n   B        FY 2010 Notices of IT Findings and Recommendations at DHS                                 19\n\n                \xef\xbf\xbd    Notice of Findings and Recommendations (NFR)\xe2\x80\x93 Definition of                      20\n                     Severity Ratings\n   C        Status of Prior Year Notices of Findings and Recommendations and Comparison to           147\n            Current Year Notices of Findings and Recommendations at DHS\n   D        Management Comments                                                                      153\n\n   E        Report Distribution                                                                      155\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n                          OBJECTIVE, SCOPE AND APPROACH\nDuring our engagement to perform an integrated audit of Department of Homeland Security (DHS),\nwe evaluated the effectiveness of IT general controls of DHS\xe2\x80\x99 financial processing environment and\nrelated IT infrastructure as necessary to support the engagement. The Federal Information System\nControls Audit Manual (FISCAM), issued by the Government Accountability Office (GAO),\nformed the basis of our audit as it relates to IT general controls assessments at DHS. The scope of\nthe DHS IT general controls assessment is described in Appendix A.\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of\nthe financial audit. FISCAM also provides guidance to IT auditors when considering the scope and\nextent of review that generally should be performed when evaluating general controls and the IT\nenvironment of a federal agency. FISCAM defines the following five control functions to be\nessential to the effective operation of the general IT controls environment.\n\xef\xbf\xbd   Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of\n    activity for managing risk, developing security policies, assigning responsibilities, and\n    monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd   Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data,\n    programs, equipment, and facilities) and protect against unauthorized modification, loss, and\n    disclosure.\n\xef\xbf\xbd   Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to\n    information system resources (software programs and hardware configurations) and provides\n    reasonable assurance that systems are configured and operating securely and as intended.\n\xef\xbf\xbd   Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n    structure to manage who can control key aspects of computer-related operations.\n\xef\xbf\xbd   Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n    without interruption, or with prompt resumption, when unexpected events occur.\nTo complement our general IT controls audit procedures, we also performed technical security\ntesting for key network and system devices, as well as testing over key financial application\ncontrols in the DHS environment. The technical security testing was performed both over the\nInternet and from within select DHS facilities, and focused on test, development, and production\ndevices that directly support key general support systems.\nIn addition to testing DHS\xe2\x80\x99 general control environment, we performed application control tests on\na limited number of DHS\xe2\x80\x99 financial systems and applications. The application control testing was\nperformed to assess the input, processing, and output of financial data and transactions that support\nthe financial systems\xe2\x80\x99 internal controls. Application controls are the structure, policies, and\nprocedures that apply to separate, individual application systems, such as accounts payable,\ninventory, or payroll.\nDuring FY 2010, we also considered the effects of financial system functionality while testing IT\ngeneral and application controls and other internal controls over financial reporting. Many of the\nfinancial systems in use at DHS components were inherited from the legacy agencies and have not\nbeen substantially updated since the department\xe2\x80\x99s inception. As a result, financial system\nfunctionality may be inhibiting DHS\xe2\x80\x99 ability to implement and maintain internal controls, notably\nIT applications controls supporting financial data processing and reporting at some components.\n\n\n\nInformation Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n                                       Page 1\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n               SUMMARY OF FINDINGS AND RECOMMENDATIONS\nDuring our FY 2010 assessment of IT general and application controls and financial system\nfunctionality, we noted that the DHS made some progress in remediation of IT findings we reported\nin FY 2009. We have closed approximately 30 percent of our prior year IT findings. In FY 2010\nwe identified approximately 161 findings, of which approximately 65 percent are repeated from last\nyear. Nearly one-third of our repeat findings were for IT deficiencies that management represented\nwere corrected during FY 2010. Disagreements with management\xe2\x80\x99s self assessment occurred\nalmost entirely at the Federal Emergency Management Agency (FEMA).\nThe most significant weaknesses from a financial statement audit perspective include: 1) excessive\nunauthorized access to key DHS financial applications; 2) configuration management controls that\nare not fully defined, followed, or effective; 3) security management deficiencies in the area of the\ncertification and accreditation process and the lack of adhering to or developing policies and\nprocedures , 4) contingency planning that lacked current, tested, contingency plans developed to\nprotect DHS resources and financial applications, and 5) lack of proper segregation of duties for\nroles and responsibilities within financial systems.\nCollectively, the IT control deficiencies limited DHS\xe2\x80\x99 ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these deficiencies negatively impacted the internal controls over DHS\xe2\x80\x99\nfinancial reporting and its operation and we consider them to collectively represent a material\nweakness for DHS under standards established by the American Institute of Certified Public\nAccountants (AICPA) and GAO. The IT findings were combined into one material weakness\nregarding IT Controls and Financial Systems Functionality for the FY 2010 audit of the DHS\nconsolidated financial statements. As reported last year, both FEMA and Immigration and Customs\nEnforcement\xe2\x80\x99s (ICE) control deficiencies were found to have a more significant impact on the\nDepartment. FEMA continues to have a high number of significant IT general controls findings\nthat repeat each fiscal year. These weaknesses affect our ability to fully audit its financial\napplication controls. In addition, ICE has significant weaknesses in its key financial system which\nhas resulted in duplicate payments, and poor configuration and patch management.\n\n\n\n\nInformation Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n                                       Page 2\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n\n           IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS\nConditions: In FY 2010, a number of IT and financial system functionality deficiencies were\nidentified at DHS. Approximately 162 findings were identified of which approximately 65 percent\nare repeated from last year. The findings identified below are a cross-representation of the nature of\nIT general control deficiencies identified throughout the department\xe2\x80\x99s components which contribute\nto a material weakness for financial system security as part of the FY 2010 DHS financial statement\naudit.\n\nRelated to IT controls:\n1. Access Controls - At the following DHS components: United States Coast Guard (USCG),\n   Customs and Border Protection (CBP), Federal Law Enforcement Training Center (FLETC),\n   FEMA, ICE, DHS Headquarters, Transportation Security Administration (TSA), and United\n   States Citizenship and Immigration Services (USCIS) we noted:\n   \xef\xbf\xbd   Deficiencies in management of application and/or database accounts, network, and remote\n       user accounts:\n       -    System administrator root access to financial applications was not properly restricted,\n            logged, and monitored;\n       -    Strong password requirements were not enforced;\n       -    User account lists were not periodically reviewed for appropriateness, inappropriate\n            authorizations and excessive user access privileges were allowed at some DHS\n            components, and users were not disabled or removed promptly upon personnel\n            termination;\n       -    Emergency and temporary access was not properly authorized, and contractor\n            development personnel were granted conflicting access to implement database changes;\n       -    Initial and modified access granted to application and/or database, network, and remote\n            users was not properly documented and authorized; and\n       -    The process for authorizing and managing remote virtual private network (VPN) access\n            to external state emergency management agencies, and component contractors, did not\n            comply with DHS and component requirements.\n   \xef\xbf\xbd   Ineffective safeguards over logical and physical access to sensitive facilities and resources:\n       -    While performing after-hours physical access testing, we identified the following\n            unsecured items: Government credit cards; financial system user IDs and passwords;\n            computer laptops; and server names and IP addresses; and\n       -    While performing social engineering testing, we identified instances where DHS\n            employees provided their system user names and passwords to an auditor posing as a\n            help desk employee.\n   \xef\xbf\xbd   Ineffective or insufficient use of available audit logs:\n       -    Logs of auditable events are not being reviewed to identify potential incidents, or were\n            reviewed by those with conflicting roles;\n\n\nInformation Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n                                       Page 3\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n       -   Logging of application and/or database events required to be recorded was not enabled;\n       -   Documented procedures for audit log follow-up do not meet DHS requirements; and\n       -   Evidence of audit log reviews was not retained.\n2. Configuration Management: At the following DHS components: USCG, CBP, FLETC, FEMA,\n   ICE, USCIS, and TSA we noted:\n   \xef\xbf\xbd   Lack of documented policies and procedures:\n       -   To prevent users from having concurrent access to the development, test, and production\n           environments of the system at four DHS components; and\n       -   Configuration, vulnerability, and patch management plans have not been established and\n           implemented, or did not comply with DHS policy;\n   \xef\xbf\xbd   Vulnerabilities were identified during periodic internal scans and related corrective actions\n       were not reported and tracked in accordance with DHS policy; and\n   \xef\xbf\xbd   Security patch management and configuration deficiencies were identified during the\n       vulnerability assessment on hosts supporting the key financial applications and general\n       support systems.\n3. Security Management - At the following DHS components: USCG, CBP, DHS Headquarters,\n   TSA, FLETC, FEMA, USCIS, and ICE we noted:\n   \xef\xbf\xbd   Systems certification and accreditation:\n       -   Several component financial and associated feeder systems as well as general support\n           systems, were not properly certified and accredited, in compliance with DHS policy;\n       -   Compliance with the Federal Desktop Core Configuration (FDCC) security\n           configurations is in progress, but has not been completed; and\n       -   An instance where Interconnection Security agreements were not documented.\n   \xef\xbf\xbd   Roles and responsibilities have not been clearly defined:\n       -   Instances of security roles and responsibilities are not adequately defined for financial\n           applications and general support systems; and\n       -   System boundaries have not been adequately and completely defined within the System\n           Security Plan.\n   \xef\xbf\xbd   Lack of policies and procedures:\n       -   One instance of incomplete or inadequate policies and procedures associated with\n           computer incident response capabilities;\n       -   Procedures for exit processing of transferred/terminated personnel, including\n           contractors, had not been established; and\n       -   Lack of component policies and procedures for IT-based specialized security training.\n   \xef\xbf\xbd   Lack of compliance with existing policies:\n\n\n\n\nInformation Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n                                       Page 4\n\x0c                               Department of Homeland Security\n                           Information Technology Management Letter\n                                      September 30, 2010\n\n         -   Several instances where background investigations of federal employees and contractors\n             employed to operate, manage and provide security over IT systems were not being\n             properly conducted;\n         -   Lack of compliance with DHS computer security awareness training requirements;\n         -   Non-disclosure agreements were not completed at one DHS component; and\n         -   A complete and accurate listing of workstations could not be provided at one DHS\n             component and as a result anti-virus protection is not installed on all workstations.\n4.   Contingency Planning - At the following DHS components: CBP and FEMA, we noted:\n     \xef\xbf\xbd   Instances where incomplete or outdated business continuity plans and systems with\n         incomplete or outdated disaster recovery plans. Some plans did not contain current system\n         information, emergency processing priorities, procedures for backup and storage, or other\n         critical information;\n     \xef\xbf\xbd   Service continuity plans were not consistently and/or adequately tested, and individuals did\n         not receive training on how to respond to emergency situations;\n     \xef\xbf\xbd   An alternate processing site has not been established for high risk systems; and\n     \xef\xbf\xbd   Appropriate authorization to access backup media was not made available.\n5. Segregation of Duties: At the following DHS components: USCG, CBP, FEMA, ICE, and\n   USCIS we noted:\n     \xef\xbf\xbd   Financial system users had conflicting access rights as the Originator, Funds Certification\n         Official, and the Approving Official;\n     \xef\xbf\xbd   Lack of evidence to show that least privilege and segregation of duties controls exist; and\n     \xef\xbf\xbd   Policy and procedures to define and implement segregation of duties were not properly\n         developed and/or implemented.\nThese control findings, including other significant deficiencies are described in greater detail in a\nseparate Limited Official Use component-specific Information Technology Management letter\nprovided to DHS component management.\n\nFINANCIAL SYSTEM FUNCTIONALITY\nWe noted that in some cases, financial system functionality is inhibiting DHS\xe2\x80\x99 ability to implement\nand maintain internal controls, notably IT applications controls supporting financial data processing\nand reporting. Financial system functionality limitations also contributes to other control\ndeficiencies reported in our report dated November 12, 2010, and can make compliance with the\nFederal Financial Management Improvement Act (FFMIA) and the Office of Management and\nBudget (OMB) Circular A-127 more difficult. At the following DHS components: USCG, CBP,\nFLETC, ICE, USCIS, and TSA we noted financial system functionality conditions to include:\n     \xef\xbf\xbd   Inability to modify IT system core software, and install controls to prevent duplicate\n         payments. One component identified two instances where duplicate payments were made in\n         FY 2009 and FY 2010, and the funds needed to be recovered;\n     \xef\xbf\xbd   System limitations lead to extensive manual and redundant procedures to process\n         transactions, to verify the accuracy of data, and to prepare financial statements;\n\nInformation Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n                                       Page 5\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n   \xef\xbf\xbd   The financial systems in one component cannot be configured to:\n       -   Prevent, detect, and correct excessive refunds;\n       -   Provide summary information of the total unpaid assessments for duties, taxes, and fees\n           by individual importer; and\n       -   Report information on outstanding receivables, the age of receivables, or other data\n           necessary for management to fully monitor collection actions; and\n   \xef\xbf\xbd   Two inventory tracking systems are not fully integrated with the financial system of record;\n       and\n   \xef\xbf\xbd   Several financial systems do not have the necessary functionality to enforce DHS-required\n       system security requirements. For example, one system does not have the functionality to\n       enforce policy requirements related to password complexity, account lockout, and profile\n       changes. In addition, a system does not have the functionality to track new users or user\n       profile changes.\nRecommendations: We recommend that the DHS Office of Chief Information Officer (OCIO), in\ncoordination with the Office of Chief Financial Officer (OCFO), the DHS component OCIOs,\nOCFOs, and other appropriate component management review each individual IT NFR\nappropriately to ensure that the DHS components enter the recommendations as Plan of Action and\nMilestones in Trusted Agent FISMA, and work with the respective components to develop\ncorrective action plans to address the root cause and condition of each NFR.\nFinancial System Functionality Recommendation: We recommend that the DHS OCIO, in\ncoordination with the OCFO, the DHS component OCIOs, OCFOs, and other appropriate\ncomponent management address the IT system aspects associated with the financial system\nfunctionality issues listed above, or develop compensating/mitigating controls in order to eliminate\nor reduce the associated risk.\n\n\nMANAGEMENT COMMENTS AND OIG RESPONSE\nThe OIG obtained written comments on a draft of this report from the DHS CIO, DHS Acting CFO,\nand DHS CISO. Generally, DHS management agreed with all of our findings and\nrecommendations. DHS management has developed a remediation plan to address these findings\nand recommendations. A copy of the comments is included in Appendix D.\nOIG Response\nWe agree with the steps that DHS management is taking to satisfy these recommendations.\n\n\n\n\nInformation Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n                                       Page 6\n\x0c                                                                          Appendix A\n                          Department of Homeland Security\n                      Information Technology Management Letter\n                                 September 30, 2010\n\n\n\n\n                                  Appendix A\n\n\n       Description of Key DHS Financial Systems and IT\n Infrastructure within the Scope of the FY 2010 DHS Financial\n                        Statement Audit\n\n\n\n\nInformation Technology Management Letter for the FY 2010 DHS Financial Statement Audit\n                                       Page 7\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\nBelow is a description of significant financial management systems and supporting IT infrastructure\nincluded in the scope of the engagement to perform the financial statement audit.\nUnited States Coast Guard (USCG)\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial\nstatements for the Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s Finance Center (FINCEN), in\nChesapeake, Virginia (VA). The FINCEN is the Coast Guard\xe2\x80\x99s primary data center. CAS interfaces\nwith two other systems located at the FINCEN, the Workflow Imaging Network System (WINS)\nand the Financial and Procurement Desktop (FPD).\n\xef\xbf\xbd   CAS Version 4.1\n\xef\xbf\xbd   CAS Oracle Database 9.2.0.8.0 \xe2\x80\x93 47 GB 16x750mhz RISC Processor; cgofprod.world\n\xef\xbf\xbd   CAS Operating System \xe2\x80\x93 HP Unix 11.11; ARGUS Server\n\nFinancial Procurement Desktop (FPD)\nThe FPD application is used to create and post obligations to the core accounting system. It allows\nusers to enter funding, create purchase requests, issue procurement documents, perform system\nadministration responsibilities, and reconcile weekly program element status reports. FPD is\ninterconnected with the CAS system and is located at the FINCEN in Chesapeake, VA.\n\xef\xbf\xbd   FPD Oracle 9.2.0.8.0 Database \xe2\x80\x93 28 GB 12x750mhz RISC Processor; LUFS.world\n\xef\xbf\xbd   FPD Operating System \xe2\x80\x93 HP UNIX 11.11; Dart Server\n\nWorkflow Imaging Network System (WINS)\nWINS is the document image processing system, which is integrated with an Oracle\nDeveloper/2000 relational database. WINS allows electronic data and scanned paper documents to\nbe imaged and processed for data verification, reconciliation and payment. WINS utilizes\nMarkView software to scan documents and to view the images of scanned documents and to render\nimages of electronic data received. WINS is interconnected with the CAS and FPD systems and is\nlocated at the FINCEN in Chesapeake, VA.\n\xef\xbf\xbd   WINS Oracle 10.2.0.3 Database - 48 GB 12x750mhz RISC Processor; PROD1.world\n\xef\xbf\xbd   WINS Operating System \xe2\x80\x93 HP Unix 11.11; Vigilant Server\n\nJoint Uniform Military Pay System (JUMPS)\nJUMPS is a mainframe application used for paying USCG active and reserve payroll. JUMPS is\nlocated at the Pay and Personnel Center (PPC) in Topeka, Kansas.\n\xef\xbf\xbd   IBM Mainframe - z890\n\xef\xbf\xbd   JUMPS Operating System z/OS 1.8 Base\n\nDirect Access\nDirect Access is the system of record and all functionality, data entry, and processing of payroll\nevents is conducted exclusively in Direct Access. Direct Access is maintained by IBM Application\nOn Demand (IBM AOD) in the iStructure data center facility at Tempe, AZ with a hotsite located in\na Qwest data center in Sterling, VA.\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                        Page 8\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n\xef\xbf\xbd   Hardware - 1 Sunfire 4800, 2 Sunfire 880, 1 Sunfire 4500, 1 Sunfire v240, 2 Sunfire V440, 2\n    F5Big-IP, 1IBM 3650\n\xef\xbf\xbd   Software \xe2\x80\x93 PeopleTools v8.4, PeopleSoft HCM v8.0, WebLogic v8, Tuxedo v8, MicroFocus\n    Cobol v4, Oracle DB v9, ImageNow v5.4.1, WebNow v3.4.1\n\nGlobal Pay (Direct Access II)\nGlobal Pay provides retiree and annuitant support services. Global Pay is maintained by IBM AOD\nin the iStructure data center facility at Tempe, AZ with a hotsite located in a Qwest data center in\nSterling, VA.\n\xef\xbf\xbd   Hardware \xe2\x80\x93 2 Database Servers IBM P550, 1 Web/App Server IBM P520, 1 Web/App Server\n    IBM P550, 1 W2K Server IBM x Series 336, 2 F5 BIGIP Load Balancer, 1 Database/App\n    Server IBM P550, 2 Web Server IBM P520, 1 App Server IBM P550, 1 Proxy Server SunFire\n    v240\n\xef\xbf\xbd   Software \xe2\x80\x93 2 PeopleSoft HRMS v 9.0, 2 PeopleTools v 8.46.05, PeopleSoft Enterprise Portal v\n    8.0, 2 WebLogic v 8.1 sp3, 2 Tuxedo v 8.1 r3, 2 Oracle RDMS v 10.x, 1McAfee Entercept v 5.1\n    \xe2\x80\x93 IDS, 1 Checkpoint NG with Application Intelligence (R55) 105 \xe2\x80\x93 Firewall, 1 Legato v 7.x\n\nShore Asset Management (SAM)\nSAM is hosted at the Coast Guard\xe2\x80\x99s Operation System Center (OSC), in Martinsburg, WV. SAM\nprovides core information about the USCG shore facility assets and facility engineering. The\napplication tracks activities and assist in the management of the Civil Engineering (CE) Program\nand the Facility Engineering (FE) Program. SAM data contributes to the shore facility assets full\nlife cycle Program management, facility engineering full life cycle Program management and\nrationale to adjust the USCG mission needs through planning, budgeting, and project funding.\nSAM also provides real property inventory and management of all shore facilities, in addition to the\nability to manage and track the facilities engineering equipment and maintenance of that equipment.\n\xef\xbf\xbd   Hardware platform:-Intel MP BladeServer SBXD132, 2x Xeon Dual Core 2.66Ghz, EMT64,\n    4GB Ram (8GB DB Servers), Mirrored 72GB SAS, 2x 1GB Network Interface\n\xef\xbf\xbd   Operating - Software: Windows 2003 Server Standard 5.2.3790 Service Pack 2 build 3790\n\xef\xbf\xbd   Security Software - McAfee Virus Scan Enterprise 8.0.0\n\xef\xbf\xbd   Database - Oracle 9i, 32 bit\n\nNaval and Electronics Supply Support System (NESSS)\nNESSS is one of four automated information systems that comprise the family of Coast Guard\nlogistics systems. NESSS is a fully integrated system linking the functions of provisioning and\ncataloging, unit configuration, supply and inventory control, procurement, depot-level maintenance\nand property accountability, and a full financial ledger.\n\xef\xbf\xbd   Hardware platform:-1 HP A7137A, 1 Dell PowerEdge 6450, 2 Dell Power Edge 6650, 2 HP\n    A3639A\n\xef\xbf\xbd   Software - Software: Oracle Application Server Forms and Report Services 10.1.2.02, Xventory\n    Baseline, File Replication Pro, Windows 2003 Server Enterprise Edition, PDF Pagemaster\n\nAviation Logistics Management Information System (ALMIS)\n\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                        Page 9\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\nALMIS provides Coast Guard Aviation logistics management support in the areas of operations,\nconfiguration management, maintenance, supply, procurement, financial, and business intelligence.\nAdditionally, ALMIS covers the following types of information: Financial, Budget, Planning,\nAircraft & Crew Status, Training & Readiness, and Logistics & Supply. The Aviation Maintenance\nManagement Information System (AMMIS), a subcomponent of ALMIS, functions as the inventory\nmanagement/fiscal accounting component of the ALMIS application. The Aircraft Repair &\nSupply Center (ARSC) Information Systems Division (ISD) in Elizabeth City, North Carolina hosts\nthe ALMIS application.\n\xef\xbf\xbd   Linux AS 4.0 (OS for Oracle Databases)\n\xef\xbf\xbd   HPUX 11i (OS for Ingres Databases)\n\xef\xbf\xbd   Oracle 10g (Database Services)\n\xef\xbf\xbd   Ingress 2.6 (Database Services)\n\xef\xbf\xbd   Windows 2000 Advanced Server (Web Server)\n\nCG Treasury Information Executive Repository (CG Tier)\nCG TIER is a financial data warehouse containing summarized and consolidated financial data\nrelating USCG operations. It is one of several supporting applications within CAS Suite designed to\nsupport the core financial services provided by FINCEN. CG TIER provides monthly submissions\nto DHS Consolidated TIER.\n\xef\xbf\xbd   Database- Oracle v 8.1.7.4 (Tiers)\n\xef\xbf\xbd   Operating System- HP-UNIX; v 11.11\n\nCustoms and Border Protection (CBP)\nSAP Enterprise Central Component (SAP ECC 6.0)\nSAP is a client/server-based financial management system and includes the Funds Management,\nBudget Control System, General Ledger, Real Estate, Property, Internal Orders, Sales and\nDistribution, Special Purpose Ledger, and Accounts Payable modules. These modules are used by\nCBP to manage assets (e.g., budget, logistics, procurement, and related policy), revenue (e.g.,\naccounting and commercial operations: trade, tariff, and law enforcement), and to provide\ninformation for strategic decision making. The SAP ECC 6.0 financial management system is\nincluded in full scope in the FY 2010 financial statement audit. The SAP ECC 6.0 system is located\nin Newington, VA.\nAutomated Commercial System (ACS)\nACS is a collection of mainframe-based business process systems used to track, control, and\nprocess commercial goods and conveyances entering the United States territory, for the purpose of\ncollecting import duties, fees, and taxes owed the Federal government. ACS collects duties at ports,\ncollaborates with financial institutions to process duty and tax payments, provides automated duty\nfiling for trade clients, and shares information with the Federal Trade Commission on trade\nviolations and illegal imports. The ACS system is included in full scope in the FY 2010 financial\nstatement audit. The ACS system is located in Newington, VA.\nAutomated Commercial Environment (ACE)\nACE is the commercial trade processing system being developed by CBP to facilitate trade while\nstrengthening border security. It is CBP\xe2\x80\x99s plan that the ACE replaced ACS when ACE is fully\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 10\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\nimplemented. The mission of ACE is to implement a secure, integrated, government-wide system\nfor the electronic collection, use, and dissemination of international trade and transportation data\nessential to federal agencies. ACE is being deployed in phases, with no set final full deployment\ndate due to funding setbacks. As ACE is partially implemented now and processes a significant\namount of revenue for CBP, ACE was included in full scope in the FY 2010 financial statement\naudit. The ACE system is located in Newington, VA.\n\nFederal Law Enforcement and Training Center (FLETC)\nFinancial Accounting and Budgeting System (FABS)\nProcessing Location: FLETC Headquarters in Glynco, GA\nThe FLETC FABS application is an all-in-one financial processing system. It functions as the\ncomputerized accounting and budgeting system for FLETC. The FABS system exists to provide all\nof the financial and budgeting transactions in which FLETC is involved. The FABS environment\nprimarily consists of the latest version of the Momentum version 6.1 COTS software, an Oracle 10g\ndatabase and its companion Oracle 10.2 Database Management System (DBMS). An application\ncalled \xe2\x80\x9cTuxedo,\xe2\x80\x9d also resides on a separate server. The Tuxedo middleware holds 67 executable\nfiles. These files are scripts that process daily information and are not directly accessible by users.\nThe FABS application and servers reside on the FLETC LAN in a Hybrid physical network\ntopology and are accessible from four sites: Glynco, GA, Washington D.C., Artesia, New Mexico,\nand Cheltenham, MD.\n\xef\xbf\xbd   Hardware: Hewlett Packard ProLiant BL465c Blade Servers (web and application) and Hewlett\n    Packard ProLiant BL685c Blade Servers (database)\n\xef\xbf\xbd   Operating System: Microsoft Windows 2003 Server running on virtual machines on top of\n    VMware Infrastructure 3.5 Enterprise hypervisor on the web and application servers\n\xef\xbf\xbd   Database: Red Hat Enterprise Linux\n\xef\xbf\xbd   Security Software: FABS system does not currently have a firewall scheme and resides on\n    FLETC LAN that has a firewall in place\nInterfaces:\n\xef\xbf\xbd   National Finance Center (NFC) Payroll System\n\xef\xbf\xbd   Student Information System (SIS)\n\xef\xbf\xbd   TIER\n\xef\xbf\xbd   US Coast Guard Interface\n\xef\xbf\xbd   Kansas City Financial Center (KFC)\n\n\nGlynco Administrative Network\nProcessing Location: FLETC Headquarters in Glynco, GA\nThe purpose of the Glynco Administrative Network (GLYADLAN) is to provide access to IT\nnetwork applications and services to include voice to authorized FLETC personnel, contractors and\npartner organizations located at the Glynco, Georgia facility. It provides authorized users access to\nemail, internet services, required applications such as Financial Management Systems (FMS),\nProcurement systems, Property management systems, Video conference, and other network services\nand shared resources.\n\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 11\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n\xef\xbf\xbd   Hardware: Cisco ACS TACAS Server, Avaya 8700 Media Servers, Dell Poweredge servers\n    1750, 1850, 1950, 2650, 2850, 2950, and 6650.\n\xef\xbf\xbd   Operating System: Windows XP SP2 (Desktop)\n\xef\xbf\xbd   Database: Redhat Linux 4 Enterprise edition\n\xef\xbf\xbd   Security Software: ASA 5500 series firewall and static IP addresses\nInterfaces:\n\xef\xbf\xbd   FMS\n\xef\xbf\xbd   DHS HQ\n\nFederal Emergency Management Agency (FEMA)\nCore Integrated Financial Management Information System (IFMIS) (Operational through\nFebruary 22, 2010\nProcessing Location: Mount Weather Emergency Operations Center in Bluemont, VA\nCore IFMIS was the key financial reporting system, and had several feeder subsystems (budget,\nprocurement, accounting, and other administrative processes and reporting). The application was a\nCommercial Off-The Shelf (COTS) software package developed and maintained by Digital Systems\nGroup (DSG) Incorporated.\n\xef\xbf\xbd   Hardware: Two (2) HP 9000 servers (operational and standby)\n\xef\xbf\xbd   Operating System: HP-UX (Unix) version 11.11\n\xef\xbf\xbd   Database: Oracle 9i Enterprise Edition\n        \xef\xbf\xbd Security Software: Servers are protected by a CISCO PIX Firewall\nInterfaces:\n\xef\xbf\xbd   NEMIS\n\xef\xbf\xbd   Credit Card Transaction Management System (CCTMS)\n\xef\xbf\xbd   Fire Grants\n\xef\xbf\xbd   Mitigation Grants\n\xef\xbf\xbd   eGrants\n\xef\xbf\xbd   ProTrac\n\xef\xbf\xbd   Payroll\n\xef\xbf\xbd   Department of Treasury\n\xef\xbf\xbd   Smartlink\n\xef\xbf\xbd   TIER\nGrants and Training (G&T) IFMIS (Operational through February 22, 2010)\nProcessing Location: Mount Weather Emergency Operations Center in Bluemont, VA\nIn April 2007, the Office of Grants and Training (G&T) that was previously under the Department\nof Justice was transferred over to FEMA. Due to the short amount of time given to FEMA to take\nover the financial management role for G&T in FY 2007, a separate instance of IFMIS was\ninherited from the Department of Justice, resulting in two separate IFMIS instances at FEMA.\nG&T IFMIS, held all former G&T financial information. The application is a COTS software\npackage developed and maintained by DSG Incorporated.\n\xef\xbf\xbd   Hardware: HP 9000 server\n\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 12\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\n\xef\xbf\xbd   Operating System: HP-UX (Unix) version 11.11\n\xef\xbf\xbd   Database: Oracle 9i Enterprise Edition\n\xef\xbf\xbd   Security Software: Servers are protected by a CISCO PIX Firewall\nInterfaces:\n\xef\xbf\xbd   PARS\nIFMIS-Merger (Operational as of February 23, 2010)\nProcessing Location: Mount Weather Emergency Operations Center in Bluemont, VA\nIFMIS-Merger is the official accounting system of FEMA and maintains all financial data for\ninternal and external reporting. IFMIS-Merger is comprised of five subsystems: Funding, Cost\nPosting, Disbursements, Accounts Receivable, and General Ledger. The application is a COTS\nsoftware package developed and maintained by DSG Incorporated.\n\xef\xbf\xbd   Hardware: Two (2) HP 9000 servers\n\xef\xbf\xbd   Operating System: HP-UX (Unix) version 11.11\n\xef\xbf\xbd   Database: Oracle 9i Enterprise Edition\n\xef\xbf\xbd   Security Software: Servers are protected by a CISCO PIX Firewall\nInterfaces:\n\xef\xbf\xbd   Payment and Reporting System (PARS)\n\xef\xbf\xbd   ProTrac\n\xef\xbf\xbd   Smartlink (Department of Health and Human Services)\n\xef\xbf\xbd   TIER (Department of Treasury)\n\xef\xbf\xbd   Secure Payment System (SPS) (Department of Treasury)\n\xef\xbf\xbd   Grants Management System (Department of Justice)\n\xef\xbf\xbd   National Emergency Management Information System (NEMIS)\n\xef\xbf\xbd   US Coast Guard Credit Card System\n\xef\xbf\xbd   CCTMS\n\xef\xbf\xbd   Fire Grants\n\xef\xbf\xbd   eGrants\n\xef\xbf\xbd   Enterprise Data Warehouse (EDW)\n\xef\xbf\xbd   Payroll (National Finance Center)\n\nPayment and Reporting System (PARS)\nProcessing Location: Mount Weather Emergency Operations Center in Bluemont, VA\nPARS is a standalone web-based application. The PARS database resides on the IFMIS-Merger\nUNIX server. Prior to the merger of Core IFMIS and G&T IFMIS, PARS resided on the core\nIFMIS server. Through its web interface, PARS collects Standard Form 269 information from\ngrantees and stores the information in its Oracle 9i database. Automated chron jobs are run daily to\nupdate and interface grant and obligation information between PARS and IFMIS-Merger. All\npayments to grantees are made through IFMIS-Merger. Prior to the IFMIS-Merger instance in\nFebruary 2010, the PARS application interfaced with G&T IFMIS.\n\xef\xbf\xbd   Hardware: HP 9000 server\n\xef\xbf\xbd   Operating System: HP-UX (Unix) version 11.11\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 13\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n\xef\xbf\xbd   Database: Oracle 9i Enterprise Edition\n\xef\xbf\xbd   Security Software: Servers are protected by a CISCO PIX Firewall\nInterfaces:\n\xef\xbf\xbd   G&T IFMIS (prior to February 23, 2010)\n\xef\xbf\xbd   IFMIS-Merger (as of February 23, 2010)\nNational Emergency Management Information System (NEMIS)\nProcessing Location: Mount Weather Emergency Operations Center in Bluemont, VA\nNEMIS is a FEMA-wide system of hardware, software, telecommunications, services, and\napplications. NEMIS consists of many integrated subsystems distributed over hundreds of\nseparate servers accessed by thousands of client workstations.\nNEMIS is an integrated system to provide FEMA, the states, and other federal agencies with\nautomation to perform disaster related operations. NEMIS supports all phases of emergency\nmanagement and provides financial related data to IFMIS via an automated interface.\n\xef\xbf\xbd   Hardware: Numerous HP ProLiant DL series servers\n\xef\xbf\xbd   Operating System: Linux, Microsoft NT and Microsoft 2000\n\xef\xbf\xbd   Database: Replicated Oracle 10g, 9i, and 8i databases\n\xef\xbf\xbd   Security Software: Servers are protected by a PIX Firewall Symantec Anti-Virus corporate\n    edition version 10.1.4.4000\nInterfaces:\n\xef\xbf\xbd   IFMIS\n\xef\xbf\xbd   US Coast Guard Credit Card System\n\xef\xbf\xbd   Small Business Administration\nTraverse\nProcessing Location: Lanham, MD (until July 31, 2010), Landover, MD (after August 1, 2010).\nTraverse is the general ledger application currently used by the Nation Flood Insurance Program\n(NFIP) Bureau and Statistical Agent to generate the NFIP financial statements. Traverse is a client-\nserver application that runs on the NFIP Local Area Network (LAN) Windows server environment\nin Landover, MD. The Traverse client is installed on the desktop computers of the NFIP Bureau of\nFinancial Statistical Control group members.\n\xef\xbf\xbd   Hardware: Hewlett Packard ML530, Dual Xeon 2.8 Processors, 2 GB RAM, Redundant Array\n    of Independent Disks (RAID) Storage\n\xef\xbf\xbd   Operating System: Microsoft Windows Server 2003\n\xef\xbf\xbd   Database: Microsoft Structured Query Language (SQL)\n\xef\xbf\xbd   Security Software: CheckPoint firewall\nInterfaces:\nNo known system interfaces\nTransaction Recording and Reporting Processing (TRRP)\nProcessing Location: Norwich, CT\n\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 14\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own\n(WYO) companies for the NFIP. TRRP also supports the WYO program, primarily by ensuring the\nquality of financial data submitted by the WYO companies to TRRP. TRRP is a mainframe-based\napplication that runs on the NFIP mainframe logical partition in Norwich, CT.\n\xef\xbf\xbd   Hardware: IBM 2086-220 Mainframe with two central processing units\n\xef\xbf\xbd   Operating System: IBM z/OS 1.9\n\xef\xbf\xbd   Database: WebFocus\nInterfaces:\nNo known system interfaces\n\nImmigration and Customs Enforcement (ICE)\nFederal Financial Management System (FFMS)\nThe FFMS is a CFO designated financial system and certified software application that conforms to\nOMB Circular A-127 and implements the use of a Standard General Ledger for the accounting of\nagency financial transactions. It is used to create and maintain a record of each allocation,\ncommitment, obligation, travel advance and accounts receivable issued. It is the system of record\nfor the agency and supports all internal and external reporting requirements. FFMS is a commercial\noff-the-shelf financial reporting system and is built on Oracle 9i Relational Database Management\nSystem running off an IBM 9672 Mainframe with ZOS 1.4 platform. The FFMS operating system\noperates off an IBM ZOS, Version 1.4 Mainframe Server and Microsoft Windows 2000 report\nservers protected by firewalls. It includes the core system used by accountants, FFMS Desktop that\nis used by average users, and an NFC payroll interface. As of July 2010, the FFMS mainframe\ncomponent and two network servers are hosted at the DHS DC2 facility located in Clarksville,\nVirginia. Prior to July, the system was housed at the Department of Commerce in Springfield, VA.\nFFMS currently interfaces with the following systems:\n\xef\xbf\xbd   Direct Connect for transmission of DHS payments to Treasury\n\xef\xbf\xbd   Fed Travel\n\xef\xbf\xbd   The Biweekly Examination Analysis Reporting (BEAR) and Controlling Accounting Data\n    Inquiry (CADI), for the purpose of processing NFC user account and payroll information.\n\xef\xbf\xbd   The Debt Collection System (DCOS)\n\xef\xbf\xbd   Bond Management Information System (BMIS) Web\nICE Network\nThe ICE Network, also known as the Active Directory/Exchange (ADEX) E-mail System, is a\nmajor application for ICE and other DHS components, such as the USCIS. The ADEX servers and\ninfrastructure for the headquarters and National Capital Area are located on the third floor of the\nPotomac Center North Tower in Washington, DC. The ICE Network utilizes a hybrid mesh/hub\nand mesh network design to maximize redundancy throughout the network. ICE operates off of\nDell PowerEdge 2950, HP ProLiant DL 385 Server, HP ProLiant BL45p Server Blade, HP BL 25P\nBlade Server, and EMC Symmetrix DM. ADEX has implemented Microsoft Windows 2003\nEnterprise Server operating system to provide directory, domain control, and network services to\nclients. For security purposes, ADEX has implemented firewalls and a logical Layer-3 encrypted\noverlay network through the use of Generic Routing Encapsulation (GRE) and IPSec tunneling.\nADEX currently interfaces with the following systems:\n\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 15\n\x0c                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\n\xef\xbf\xbd   Diplomatic Telecommunications Service Program Office (DTSPO) ICENet Infrastructure\n\nOffice of Financial Management (OFM)/Consolidated Component\nDHS Treasury Information Executive Repository (DHSTIER)\nDHSTIER is the system of record for the DHS consolidated financial statements and is used to\ntrack, process, and perform validation and edit checks against monthly financial data uploaded from\neach of the DHS bureaus\xe2\x80\x99 core financial management systems. DHSTIER is administered jointly by\nthe OCFO Resource Management Transformation Office (RMTO) and the OCFO Office of\nFinancial Management (OFM) and is hosted on the DHS OneNet at the Stennis Data Center in\nMississippi.\n\xef\xbf\xbd   Database: Oracle DB 10g v10.3\n\xef\xbf\xbd   Operating System: Microsoft Windows 2003\n\xef\xbf\xbd   Hardware: HP ProLiant BL460c G1 server\nChief Financial Office VISION (CFO Vision)\nCFO Vision is a subsystem of DHSTIER used for the consolidation of the financial data and the\npreparation of the DHS financial statements. CFO Vision is also administered by RMTO and OFM\nand is hosted on the DHS OneNet at the Stennis Data Center in Mississippi.\n\xef\xbf\xbd   COTS Software - SAS Financial Management Solutions version 4.3 (FM 4.3) with its own\n    internal SAS database\n\xef\xbf\xbd   Operating System: Microsoft Windows 2003 Hardware: HP ProLiant BL460c G1 server\n\nTransportation Security Administration (TSA)\nCore Accounting System (CAS)\nCAS is the core accounting system that records financial transactions and generates financial\nstatements for the United States Coast Guard. CAS is hosted at the Coast Guard\xe2\x80\x99s FINCEN in\nChesapeake, VA and is managed by the United States Coast Guard. The FINCEN is the Coast\nGuard\xe2\x80\x99s primary financial system data center. CAS interfaces with other systems located at the\nFINCEN, including FPD.\n\xef\xbf\xbd   CAS Version 4.1\n\xef\xbf\xbd   CAS Oracle Database 9.2.0.8.0 \xe2\x80\x93 47 GB 16x750mhz RISC Processor; cgofprod.world\n\xef\xbf\xbd   CAS Operating System \xe2\x80\x93 HP Unix 11.11; ARGUS Server\nFinancial Procurement Desktop (FPD)\nThe FPD application is used to create and post obligations to the core accounting system. It allows\nusers to enter funding, create purchase requests, issue procurement documents, perform system\nadministration responsibilities, and reconcile weekly program element status reports. FPD is\ninterconnected with the CAS system and is hosted at the FINCEN in Chesapeake, VA and is and\nmanaged by the United States Coast Guard.\n\xef\xbf\xbd   FPD Oracle 9.2.0.8.0 Database \xe2\x80\x93 28 GB 12x750mhz RISC Processor; LUFS.world\n\xef\xbf\xbd   FPD Operating System \xe2\x80\x93 HP UNIX 11.11; Dart Server\nSunflower\n\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 16\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\nSunflower is a customized third party COTS product used for TSA and Federal Air Marshals\n(FAMS) property management. Sunflower interacts directly with the Office of Finance Fixed Assets\nmodule in CAS. Additionally, Sunflower is interconnected to the FPD system and is hosted at the\nFINCEN in Chesapeake, VA and is managed by the United States Coast Guard.\n\xef\xbf\xbd   Sunflower Oracle Database \xe2\x80\x93 10.2.0.3 - 2 x 3.06 GB Xeon Processor \xe2\x80\x93 72 GB\n\xef\xbf\xbd   Sunflower Operating System \xe2\x80\x93 Red Hat Linux 4.0AS\n\xef\xbf\xbd   Sunflower Third Party Software \xe2\x80\x93 IBMJava 2.-131RC2\nMarkView\nMarkView is an imaging and workflow software used to manage invoices in CAS. Each invoice is\nstored electronically and associated to a business transaction so that users are able to see the image\nof the invoice. MarkView is interconnected with the CAS system and is located at the FINCEN in\nChesapeake, VA and is managed by the United States Coast Guard.\n\xef\xbf\xbd   CAS Oracle Database 9.2.0.8.0 \xe2\x80\x93 47 GB 16x750mhz RISC Processor\n\xef\xbf\xbd   CAS Operating System \xe2\x80\x93 HP Unix 11.11; ARGUS Server\n\nUnited States Citizenship and Immigration Services (USCIS)\nCLAIMS 3 LAN\nCLAIMS 3 LAN provides USCIS with a decentralized, geographically dispersed LAN based\nmission support case management system, with participation in the centralized CLAIMS 3\nMainframe data repository. CLAIMS 3 LAN supports the requirements of the Direct Mail Phase I\nand II, Immigration Act of 1990 (IMMACT 90) and USCIS forms improvement projects. The\nCLAIMS 3 LAN is located at the following service centers and district offices: Nebraska,\nCalifornia, Texas, Vermont, Baltimore District Office, and Administrative Appeals Office.\nCLAIMS 3 executes on Dell 220 S (EMC), RAID Controller, Disk Storage servers protected by\nfirewalls, and Windows 2003, MS Sp2 as the operating system and Pervasive database software and\nis used to enter and track immigration applications. CLAIMS 3 LAN interfaces with the following\nsystems:\n\xef\xbf\xbd   Citizenship and Immigration Services Centralized Oracle Repository (CISCOR)\n\xef\xbf\xbd   CLAIMS 3 Mainframe\n\xef\xbf\xbd   Integrated Card Production System (ICPS)\n\xef\xbf\xbd   CLAIMS 4\n\xef\xbf\xbd   E-filing\n\xef\xbf\xbd   Benefits Biometric Support System (BBSS)\n\xef\xbf\xbd   Refugee, Asylum, and Parole System (RAPS)\n\xef\xbf\xbd   National File Tracking System (NFTS)\n\xef\xbf\xbd   Integrated Card Production System (ICPS)\n\xef\xbf\xbd   Customer Relationship Interface System (CRIS)\n\xef\xbf\xbd   USCIS Enterprise Service Bus (ESB)\nCLAIMS 4\nThe purpose of CLAIMS 4 is to track and manage naturalization applications. Claims 4 is a\nclient/server application. CLAIMS 4 runs off of Sunfire 890, 490, Solaris 9, and Oracle 9iR2\nservers with Oracle 9i, Windows NT, and Windows 2000 Server operating systems and are\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 17\n\x0c                              Department of Homeland Security\n                          Information Technology Management Letter\n                                     September 30, 2010\n\nprotected by firewalls. The central Oracle Database that runs off Oracle Enterprise 9i is located in\nWashington, DC while application servers and client components are located throughout USCIS\nservice centers and district offices. CLAIMS 4 interfaces with the following systems:\n\xef\xbf\xbd   Central Index System (CIS)\n\xef\xbf\xbd   Reengineered Naturalization Automated Casework System (RNACS)\n\xef\xbf\xbd   CLAIMS 3 LAN and Mainframe\n\xef\xbf\xbd   Refugee, Asylum, and Parole System (RAPS)\n\xef\xbf\xbd   Enterprise Performance Analysis System (ePAS)\n\xef\xbf\xbd   National File Tracking System (NFTS)\n\xef\xbf\xbd   Asylum Pre-Screening System (APSS)\n\xef\xbf\xbd   USCIS Enterprise Service Bus (ESB)\n\xef\xbf\xbd   Biometrics Benefits Support System (BBSS)\n\xef\xbf\xbd   Enterprise Citizenship and Immigration Service Centralized Operational Repository (eCISOR)\n\xef\xbf\xbd   Customer Relationship Interface System (CRIS)\n\xef\xbf\xbd   FD 258 Enterprise Editions and Mainframe\n\xef\xbf\xbd   Site Profile System (SPS)\n\n\n\n\n    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                       Page 18\n\x0c                                                                        Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n                                Appendix B\nFY 2010 Notices of IT Findings and Recommendations at DHS\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 19\n\x0c                                                                                     Appendix B\n                                Department of Homeland Security\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on\nthe DHS Consolidated Independent Auditors Report.\n\n      1 \xe2\x80\x93 Not substantial\n      2 \xe2\x80\x93 Less significant\n      3 \xe2\x80\x93 More significant\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for consolidated reporting purposes.\n\nThese rating are provided only to assist the DHS in prioritizing the development of its corrective\naction plans for remediation of the deficiency.\n\n\n\n\n   Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                      Page 20\n\x0c                                                                        Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n            Department of Homeland Security\n FY 2010 Information Technology - Notice of Findings and\n               Recommendations \xe2\x80\x93 Detail\n\n                     \xef\xbf\xbd United States Coast Guard\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 21\n\x0c                                                                                                                                   Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n                                        Notice of Findings and Recommendations \xe2\x80\x93 Detail\n                                                          Coast Guard\n\nNFR                                                                                                                       New     Repeat   Severity\n                              Condition                                           Recommendation\n#No                                                                                                                       Issue    Issue    Rating\nCG-IT-   In FY 2009, we determined that Coast Guard was            We recommend that Coast Guard Headquarters                       X         2\n 10-01   finalizing the business process that would be used to     continue with the following efforts:\n         remediate the prior year NFR. Once this business          \xef\xbf\xbd   Develop a resource plan (RP) with associated\n         process is finalized, a technical implementation could        supporting business case(s) to address account\n         begin, and Coast Guard planned on using the Direct            tracking for terminated, transferred, or retired\n         Access Human Resources (HR) system to notify                  contractor, military, and civilian personnel;\n         system owners of HR status changes for all individuals        and,\n         within the Coast Guard.\n                                                                   \xef\xbf\xbd   Continue existing planning efforts and\n                                                                       develop, document, and implement enterprise-\n         During our FY 2010 follow-up test work, we\n                                                                       wide processes that will notify all impacted\n         determined that this NFR remediation is still in the\n                                                                       system owners of terminated, transferred, or\n         planning stages. Requirements still need to be\n                                                                       retired contractor, military, and civilian\n         prioritized and cost estimates need to be developed in\n                                                                       personnel.\n         order to obtain funding. Coast Guard still plans on\n         using Direct Access but will only implement this new\n         process once Direct Access has been upgraded,\n         however, the implementation date has not yet been\n         finalized.\nCG-IT-   In FY 2009, we determined that DHS no longer              We recommend that Coast Guard Headquarters                       X         2\n 10-02   requires all contracted employees to have a Minimum       continue with the following efforts:\n         Background Investigation (MBI) if they have an            \xef\xbf\xbd   Continue to update existing contracts to\n         existing confidential or secret clearance, and the new        include the new contractor background check\n         minimum standard is the National Agency Check and             requirements,    and    perform    associated\n         Inquiries (NACI).                                             contractor background checks.\n         In addition, Coast Guard Headquarters had in place\n                                                                   \xef\xbf\xbd   Continue to include new contractor\n         since 2007 Commandant Instruction (COMDTINST)\n                                                                       background check requirements in new\n         M5520.12C, which stated that Program Managers are\n                                                                       contracts, and perform associated background\n         responsible for determining the risk level and position\n                                                                       checks.\n         sensitivity designation associated with each Contract\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 22\n\x0c                                                                                                                                 Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                                                     New     Repeat   Severity\n                           Condition                                            Recommendation\n#No                                                                                                                     Issue    Issue    Rating\n      Line Item Number (CLIN) and/or labor category for          \xef\xbf\xbd   Develop a RP with associated supporting\n      procured contractor support. These will be provided            business case(s) to address the need for a\n      to the Contracting Officer who is responsible for              reporting mechanism for contractor risk level,\n      including as solicitation and contract requirements.           position sensitivity designation, and associated\n      Unfortunately, this instruction did not include specific       background check.\n      guidance for the Program Managers on how to set the\n      correct and consistent risk levels and position\n      sensitivity designations.\n\n      In FY 2010, we determined that Coast Guard\n      Headquarters incorporated Program Manager guidance\n      to the Commandant Instruction, as Enclosure 3, so that\n      the Program Managers could determine the correct\n      risk level and position sensitivity designation. An All\n      Coast Guard (ALCOAST) message was also released\n      in June that stated all contractors must have a\n      favorable fingerprint check and initiated or completed\n      minimum investigation (NACI) in order to obtain a\n      Common Access Card (CAC) card, effective\n      immediately. This has resulted in two activities: 1)\n      new contracts will incorporate these new requirements\n      immediately, and 2) existing contracts will incorporate\n      these new requirements when new task orders are\n      issued, options are exercised, contract modifications\n      are made, etc. Therefore, based upon the\n      renewal/option date of a contract in place prior to the\n      ALCOAST, it could take up to two years before all of\n      the contractors throughout Coast Guard will meet\n      these new requirements.\n\n      Furthermore, as part of our analysis, we were unable\n      to determine if USCG had the capability to\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 23\n\x0c                                                                                                                                  Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                      New     Repeat   Severity\n                               Condition                                          Recommendation\n#No                                                                                                                      Issue    Issue    Rating\n         consistently produce a current and comprehensive list\n         of all Coast Guard contractors to include valid\n         background investigation information tied to the\n         correct risk level and position sensitivity designation.\n\n         Although Coast Guard has taken corrective actions to\n         remediate the prior year NFR CG-IT-09-10 by\n         updating the Commandant Instruction and begun the\n         process of including the new requirements in\n         contracts, we believe that not having the ability to\n         identify and provide a full population of contractors\n         working for Coast Guard does not fully remediate all\n         of the findings and conditions from FY 2009.\n         Therefore, this prior year NFR will be reissued in FY\n         2010.\nCG-IT-   In FY 2009, we determined that Coast Guard                 We recommend that Coast Guard Headquarters                     X         2\n 10-03   Headquarters actively monitors all civilians to verify     continue with the following efforts:\n         whether they have a valid background investigation on      \xef\xbf\xbd   Develop a RP with        associated supporting\n         record. Coast Guard stated that it considers Coast             business case(s) to address fixing the\n         Guard government positions that use, develop,                  organization-wide background investigations\n         operate, or maintain IT systems to be at least low risk        report.\n         based upon OPM guidance. Therefore, Coast Guard\n                                                                    \xef\xbf\xbd   Continue existing efforts to update, document,\n         continued vetting individuals based on the OPM\n                                                                        and implement the overall Coast Guard\n         requirements for low risk positions which require a\n                                                                        personnel security process for civilian\n         NACI investigation. This position is not in compliance\n                                                                        personnel,     based     upon      the    JRT\n         with the DHS standard that states that all DHS\n                                                                        report/guidance.\n         government positions that use, develop, operate, or\n         maintain IT systems are considered at least moderate\n         risk, and per DHS 4300A requirements, a Minimum\n         Background Investigation (MBI) is the minimum\n         standard of investigation.\n\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 24\n\x0c                                                                                                           Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                               New     Repeat   Severity\n                            Condition                                  Recommendation\n#No                                                                                               Issue    Issue    Rating\n      In addition, Coast Guard Headquarters did not\n      complete background reinvestigations for all civilian\n      staff due to the fact that this is not a requirement under\n      OPM guidance for low risk positions. This is in non-\n      compliance with DHS policy (MD 11050.2) that states\n      that reinvestigations must be completed every 10 years\n      for moderate risk positions.\n\n      Further, a Joint Reform Team (JRT) been established\n      by the Office of the Director of National Intelligence\n      (ODNI) and the Office of Management and Budget\n      (OMB) to reform the federal suitability clearance\n      process, and the JRT standards were scheduled for\n      implementation by the end of Calendar Year 2010.\n      The Coast Guard was waiting on the JRT\n      report/guidance to be implemented prior to making a\n      determination on if they would follow the DHS\n      standards in regards to civilian background\n      investigations and reinvestigations.\n\n      During our FY 2010 follow up, we determined that the\n      Coast Guard will delay issuing any new or updated\n      guidance/instructions until the JRT report/guidance\n      has been issued and will continue to not comply with\n      the DHS standards in regards to civilian background\n      investigation and reinvestigations. Coast Guard will\n      continue to vet civilian individuals based on the OPM\n      requirements and associated methodology both in\n      terms of initial background investigations and re-\n      investigations.\n\n      In addition, Coast Guard has created an organization-\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 25\n\x0c                                                                                                                              Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                  New     Repeat   Severity\n                              Condition                                         Recommendation\n#No                                                                                                                  Issue    Issue    Rating\n         wide automated report that shows the background\n         investigation status of each civilian Coast Guard\n         employee. However, Coast Guard is currently unable\n         to consistently generate error-free reports. Coast\n         Guard stated that the report could be corrected within\n         two years if additional resources are provided.\n\nCG-IT-   From the period of October 1, 2009 through the           No recommendation required. Coast Guard took        X                  1\n 10-04   November 29, 2009, there was not adequate                appropriate corrective action during the current\n         guidance in place for Coast Guard to properly assess     fiscal year to remediate the exception that was\n         the financial statement impact of changes to the         identified during this fiscal year.\n         production environment of the CAS, FPD and\n         WINS.\n\n         During this time period, two CAS changes were\n         implemented into production without a proper\n         assessment of the financial statement impact of the\n         proposed changes.\n\n         Upon the effective date of the Financial Impact\n         Determination for Data Scripts and System Change\n         Requests Memorandum on November 30, 2009,\n         Coast Guard began and continued to follow\n         adequate guidance to properly assess the financial\n         statement impact of changes to CAS, FPD and\n         WINS.\n\nCG-IT-   We determined that some previously noted                 We recommend that Coast Guard:                               X         3\n 10-05   weaknesses were remediated (particularly in the          \xef\xbf\xbd  Update the scripting policies and procedures\n         second half of FY 2010), while other control                to include additional and more detailed test\n         deficiencies continued to exist. The remaining control      documentation;\n         deficiencies that were present throughout FY 2010        \xef\xbf\xbd Develop training that addresses all aspects of\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 26\n\x0c                                                                                                                                Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                                                    New     Repeat   Severity\n                            Condition                                           Recommendation\n#No                                                                                                                    Issue    Issue    Rating\n      vary in significance, however three key areas that             script testing (including documentation of test\n      impact the Coast Guard Script control environment              documents) and provide training to\n      are: 1) Script Testing Requirements; 2) Script Testing         appropriate CM staff;\n      Environment; and 3) Script Audit Logging Process.          \xef\xbf\xbd   Develop a resource plan with associated\n         a.   Script Testing Requirements: Limited testing           supporting business case(s) to address the\n              requirements exist to guide FINCEN staff in            database audit logging requirements;\n              the development of test plans and guidance         \xef\xbf\xbd   Develop procedures and perform regular\n              over the functional testing that should be             account revalidation for Serena to ensure\n              performed. Additionally, we determined that            privileges remain appropriate; and\n              there are no detailed requirements over the\n                                                                 \xef\xbf\xbd   Conduct an assessment over the Internal\n              review and testing of functional changes to the\n                                                                     Control Over Financial Reporting (ICOFR)\n              data. FINCEN only tracks and documents the\n                                                                     process related to identifying and evaluating\n              number of transactions updated on scripts that\n                                                                     scripts that have a financial statement impact.\n              have a financial impact and not the detailed\n              dollar amounts associated with the financial\n              impact transactions.\n         b.   Script Testing Environment: Not all script\n              changes were tested in the appropriate CAS\n              Suite test environments, as required. FINCEN\n              management informed us that the testing\n              environments, CAS4 and LUFSFQT3, were\n              offline for these exceptions due to a refresh of\n              the databases and that testers used CAS3 and\n              Alpha as alternate testing environments\n              instead. However, FINCEN management\n              informed KPMG that these environments are\n              refreshed on an as needed basis and no further\n              information could be provided over how\n              frequently the CAS3 and Alpha databases were\n              refreshed to verify that the scripts were\n              adequately tested in the appropriate\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 27\n\x0c                                                                                                           Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                               New     Repeat   Severity\n                           Condition                                  Recommendation\n#No                                                                                               Issue    Issue    Rating\n             environment. Furthermore, we determined that\n             guidance is not provided over the use of\n             alternate testing environments for the testing of\n             scripts to ensure they are adequately tested.\n          c. Script Audit Logging Process:        The CAS,\n             FPD, and Sunflower databases are logging\n             changes to tables as well as successful and\n             unsuccessful     logins.        However,    no\n             reconciliation between the scripts run and the\n             changes made to the database tables is being\n             performed to monitor the script activities and\n             ensure that all scripts run have been approved\n             through Change management Script System or\n             Serena. In addition, we noted that FINCEN\n             has not established a formal process to monitor\n             and review changes made to the Sunflower\n             database including the tables and activities\n             modified by the database administrators.\n      During our test work, we noted weaknesses in the\n      script change management process as it relates to the\n      ICOFR process (e.g., the financial statement impact of\n      the changes to the CAS Suite through the script\n      change management process). While a process exists\n      to identify, and route a script with potential financial\n      statement impact through an assessment process, the\n      review and determination over each script is primarily\n      performed without structured/detailed procedures in\n      place. Furthermore, the rationale documenting the\n      impact of the script, whether deemed as having\n      financial impact or not, is not documented and\n      retained. In addition, within the CAS Suite\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 28\n\x0c                                                                                                                                 Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                     New     Repeat   Severity\n                              Condition                                          Recommendation\n#No                                                                                                                     Issue    Issue    Rating\n         environment, there are over 200 scripts run on a\n         weekly basis and we noted that the financial statement\n         impact assessment is essentially performed by a single\n         branch, which has authorized only three people to\n         assess the scripts.\nCG-IT-   To complement our IT audit testing efforts as part of     We recommend that Coast Guard Headquarters                     X         2\n 10-06   the FY 2010 DHS Financial Statement Audit and             update the annual Information Assurance (IA)\n         Audit of Internal Control over Financial Reporting, we    training to include more robust \xe2\x80\x9cphishing\xe2\x80\x9d and\n         also performed social engineering testing. This testing   \xe2\x80\x9csocial engineering\xe2\x80\x9d guidance and instruction and\n         was conducted at key Coast Guard locations that           explicitly test individuals during the training on\n         process, support and house Coast Guard financial data.    these topic areas.\n\n         Social engineering is defined as the act of attempting\n         to manipulate or deceive individuals into taking action\n         that is inconsistent with DHS policies, such as\n         divulging sensitive information or allowing / enabling\n         computer system access. The term typically applies to\n         trickery or deception for the purpose of information\n         gathering, or gaining computer system access.\n\n         During the course of our social engineering test work,\n         the objective was primarily focused on attempting to\n         obtain user passwords. Posing as DHS technical\n         support employees, attempts were made to obtain this\n         type of account information by contacting randomly\n         selected USCG employees by telephone at two Coast\n         Guard locations, Headquarters (HQ) and the Coast\n         Guard FINCEN. A script was followed which had us\n         ask for assistance from the user in resolving a Coast\n         Guard network issue. As presented in the following\n         table, for each person we attempted to call, we noted\n         whether the individuals were reached and whether we\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 29\n\x0c                                                                                                                                   Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                       New     Repeat   Severity\n                               Condition                                           Recommendation\n#No                                                                                                                       Issue    Issue    Rating\n         obtained any information from them that should not\n         have been shared with us according to DHS policy.\n         Our selection of individuals was not statistically\n         derived, and, therefore, we are unable to project results\n         to the Coast Guard or the DHS as a whole.\nCG-IT-   During the FY 2010 IT Audit, a selection of newly           As noted in the condition, management remediated      X                  1\n 10-07   created users of the JUMPS application was made to          the exception upon notification of this IT NFR. No\n         inspect whether applicable documentation was                additional actions are required and, therefore, no\n         recorded and retained to identify authorized users.         recommendation will be issued.\n         We determined that documentation was not retained\n         for one of the five users selected. We performed\n         inquiry procedures with management to determine that\n         access was appropriately restricted for this user;\n         however, no JUMPS Access Authorization Form\n         could be located. On July 20, 2010, management\n         remediated the exception by completing a new JUMPS\n         Access Authorization Form for the noted user with a\n         copy of the form being entered into the Coast Guard\xe2\x80\x99s\n         ImageNow imagining repository.\nCG-IT-   During our FY 2010 test work, we determined that the        No recommendation required. Coast Guard took          X                  1\n 10-08   Coast Guard TIER System password setting for                appropriate corrective action during the current\n         lockout duration (PASSWORD_LOCK_TIME) is                    fiscal year to remediate the exception that was\n         only configured to 0.0005 days (less than one minute).      identified during this fiscal year.\n         This setting was subsequently remediated on 7/19/201\n         to a setting of \xe2\x80\x9cUNLIMITED\xe2\x80\x9d which requires an\n         administrator to unlock the account. We observed and\n         noted that this remediation was taken by Coast Guard.\n\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 30\n\x0c                                                                                                                              Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                  New     Repeat   Severity\n                              Condition                                         Recommendation\n#No                                                                                                                  Issue    Issue    Rating\nCG-IT-   To complement our IT audit testing efforts as part of    We recommend that Coast Guard:                      X                  2\n 10-09   the FY 2010 DHS Financial Statement Audit and            \xef\xbf\xbd Update the annual IA training to include more\n         Audit of Internal Control over Financial Reporting, we      robust office \xe2\x80\x9cphysical security\xe2\x80\x9d and \xe2\x80\x9cclean\n         also performed after-hours physical security testing.       desk\xe2\x80\x9d guidance and instruction and explicitly\n         This testing was conducted at key Coast Guard               test individuals during the training on these\n         locations that process, support and house Coast Guard       topic areas.\n         financial data.                                          \xef\xbf\xbd Implement enterprise-wide and site-specific\n                                                                     processes for verifying the effectiveness of\n         We performed after-hours physical security testing to       this training via mechanisms such as\n         identify risks related to non-technical aspects of IT       scheduled and ad hoc desk checks, training\n         security. These non-technical IT security aspects           follow-ups, and other management controls.\n         include physical access to media and equipment that\n         houses financial data and information residing on a\n         USCG employee\xe2\x80\x99s / contractor\xe2\x80\x99s desk, which could be\n         used by others to gain unauthorized access to systems\n         housing financial information.      The testing was\n         performed at various USCG locations that process and\n         / or maintain financial data. After gaining physical\n         access to the facilities with a USCG employee who\n         was designated to assist with and monitor our test\n         work, we inspected a selection of 45 desks, cubicles,\n         offices, and other work areas for each location.\n         During the testing we were looking for items such as\n         improper protection of user account login information,\n         unsecured      portable system hardware, including\n         laptops and external hard drives, and open / active\n         application or network sessions. In addition, we\n         inspected work areas for documentation marked \xe2\x80\x9cFor\n         Official Use Only\xe2\x80\x9d (FOUO), personally identifiable\n         information (PII), Federal Government credits cards,\n         and agency badges. This list does not encompass the\n         total type of items we were searching for during our\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 31\n\x0c                                                                                                                               Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                   New     Repeat   Severity\n                              Condition                                         Recommendation\n#No                                                                                                                   Issue    Issue    Rating\n         testing. As depicted in the following table, for each\n         location visited, we noted the type of unsecured\n         information or property we identified and included the\n         total exceptions noted by location, as well as by type\n         of information or property identified.\nCG-IT-   In FY 2009, we determined that the Role-Based            We recommend Coast Guard Headquarters:        X\n 10-10   Training for USCG IA Professionals Commandant            \xef\xbf\xbd  Continue     to    implement     Commandant\n         Instruction had been renamed the Role-Based Industry        Instruction       Information       Assurance\n         Standards for USCG IA Professionals Commandant              Professional Certifications.\n         Instruction.    However, the renamed Instruction         \xef\xbf\xbd Improve and utilize its manual tracking\n         remained in draft form. In addition, we determined          process until such time that the Direct Access\n         that once the Instruction had been finalized, the           implementation is in place.\n         curriculum had been agreed upon and the training\n         implemented, Coast Guard would utilize the\n         Professional Certifications and Licenses module\n         within the Direct Access system rather than the\n         Training Management Tool (TMT) to monitor and\n         verify training completion. This was not the case as\n         Direct Access was not configured to track contractor\n         information and, therefore will not include training\n         information for contractors. The Instruction continued\n         to reference the use of the TMT and had not been\n         updated to include procedures for utilizing Direct\n         Access.\n\n         During our FY 2010 follow-up test work, we\n         determined that the Role-Based Industry Standards for\n         USCG IA Professionals Commandant Instruction had\n         been renamed Information Assurance Professional\n         Certifications and was formally issued on March 23,\n         2010.     The Instruction stated that all military\n         employees assigned to an IA role must obtain a\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 32\n\x0c                                                                                                           Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                               New     Repeat   Severity\n                            Condition                                  Recommendation\n#No                                                                                               Issue    Issue    Rating\n      required certification within 12 months of the\n      Commandant Instruction issue date (i.e., March 23,\n      2011), and all civilian employees currently in an IA\n      role would be granted a waiver within 12 months of\n      the Commandant Instruction issue date.               The\n      Commandant Instruction further stated: 1) both\n      military and civilian employees assigned to an IA role\n      after the issuance date would be required to obtain a\n      certification within 12 months, including transfers, and\n      2) all certifications must be recorded / tracked in\n      Direct Access.        Pertaining to contractors, the\n      Contracting Officer Technical Representative (COTR)\n      must keep records of all IA personnel that require and\n      have received role-based certification preparation or\n      Continuing Professional Education (CPE) credits, and\n      all training and certification requirements are inserted\n      within all future statements of work and awarded\n      contracts. The instruction also states that all IA\n      personnel (military, civilians, and contractors) must\n      receive initial professional certification preparation\n      and annual CPEs thereafter prior to being granted\n      Coast Guard IT systems access specific to those\n      security duties.\n\n      Although Coast Guard has taken corrective actions to\n      remediate this prior year NFR, we determined that\n      even though the corrective actions are planned for\n      completion by March 2011, they have not yet been\n      completed in FY 2010 (i.e., all IA professionals who\n      are required to obtain / maintain a professional\n      certification within a year of the date of the Instruction\n      have not obtained a certification to date). Our testing\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 33\n\x0c                                                                                                                                  Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                      New     Repeat   Severity\n                              Condition                                           Recommendation\n#No                                                                                                                      Issue    Issue    Rating\n         noted that 8 or 3.9% of Coast Guard IA professionals\n         out of the total population of 205 have the required\n         certification for their prescribed level on file.\n         Furthermore, we noted that 59 or 28.7% of Coast\n         Guard IA professionals have not provided evidence of\n         industry-based training. In addition, through our\n         testing, we could not determine the number of IA\n         professionals that had been granted waivers for the\n         certification requirement. In closing, we also noted\n         that 14 Coast Guard System Administrators were not\n         listed as being part of the 205 Coast Guard IA\n         professionals.\nCG-IT-   During the FY 2010 IT Audit, a selection of users         We recommend that Coast Guard Finance Center           X                  1\n 10-11   added to the CG TIER application for the fiscal year      take the follow actions:\n         was made to inspect whether proper documentation          \xef\xbf\xbd For the user identified during testing, complete\n         was recorded and retained for identify authorized             and retain all appropriate access request\n         users. Our testing determined that documentation was          documentation; and,\n         not retained for one of the two CG TIER users             \xef\xbf\xbd Update the CG TIER account management\n         selected. Upon further inquiry with management, we            procedures to effectively track and retain user\n         were informed that the identified CG TIER user was            access documentation.\n         authorized access by the Financial Branch Chief;\n         however, the email approval had been lost.\nCG-IT-   During our FY 2009 test work, we determined that on       We recommend Coast Guard headquarters and the                   X         2\n 10-12   a quarterly basis, 45-90 Direct Access user accounts      PPC:\n         are randomly sampled and formally reviewed to             \xef\xbf\xbd Develop a RP with associated supporting\n         determine if access remains appropriate for each             business case(s) to address the 100% account\n         selected user account. As part of the quarterly review,      review requirement.\n         Coast Guard\xe2\x80\x99s Pay and Personnel Center (PPC)              \xef\xbf\xbd Continue to coordinate with the DHS CISO\xe2\x80\x99s\n         management verifies that no single user has both             office to determine and formalize the\n         CGAPPL (ability to enter an applicant) and                   frequency and depth / breadth of effective\n         CGHRSUP (ability to hire an application) roles. PPC          reviews that address the perceived risk. Based\n         management then verifies that no user has both               upon the results of these discussions with the\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 34\n\x0c                                                                                                                                 Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                                                     New     Repeat   Severity\n                            Condition                                            Recommendation\n#No                                                                                                                     Issue    Issue    Rating\n      CGAPPL and CGHIRE privileges within the Direct                  DHS CISO\xe2\x80\x99s office, the Coast Guard will\n      Access application.                                             modify procedures and develop, if applicable,\n                                                                      required waivers/exceptions to reflect an\n      Per PPC management, there are 17,496 individuals\n                                                                      adequate percentage of Direct Access user\n      with active Direct Access accounts that maintain\n                                                                      accounts to be reviewed.\n      greater than read-only access. PPC management\n      further advised us that 6,920 (40%) of the Direct           \xef\xbf\xbd   Continue to use its existing risk-based account\n      Access accounts were revalidated during the period of           review efforts until such time that the\n      October 1, 2008 \xe2\x80\x93 September 17, 2009, leaving 10,576            procedures are updated in response to the\n      (60%) Direct Access accounts not revalidated during             activities associated with the second\n      FY09. As a result, we determined that 100% of Direct            recommendation.\n      Access user accounts with greater than read-only\n      access are not annually reviewed per the DHS\n      requirement.\n      During our FY 2010 test work, we were informed by\n      the Coast Guard that an annual review of 100% of the\n      Direct Access user accounts with greater than read-\n      only access (and their associated privileges) has not\n      been performed for this fiscal year.\n\n      Coast Guard also informed us that all Direct Access\n      accounts created and/or modified during the fiscal year\n      have been reviewed as part of the normal transfer and\n      aging processes; however, our testing did not extend to\n      validate this statement. Based upon a risk based\n      decision, the Coast Guard has designed a process to\n      review a subset of users that represent the greatest risk\n      to Direct Access. This annual review would cover\n      approximately 743 Direct Access users. The scope of\n      the review includes users with payment approval,\n      security administrator permissions, all contractors, and\n      users with update/delete permissions.\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 35\n\x0c                                                                                                                                   Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                       New     Repeat   Severity\n                              Condition                                            Recommendation\n#No                                                                                                                       Issue    Issue    Rating\n         However, since this subset review does not cover\n         100% of the Direct Access user accounts with greater\n         than read-only access (and their associated privileges)\n         as required by DHS, we consider this NFR to be re-\n         issued.\nCG-IT-   During our testing, we determined that all previous        We recommend that Coast Guard FINCEN:                  X                  1\n 10-13   year conditions listed in NFRs CG-IT-09-46 were            \xef\xbf\xbd  Develop a RP with associated supporting\n         properly remediated by USCG. We consider this                 business case(s) to address the installation of\n         prior-year IT NFR as closed.                                  Service Pack 3 on all applicable Windows XP\n                                                                       workstations and/or upgrade the operating\n         As part of this year\xe2\x80\x99s testing, we identified one             systems of these workstations to the Coast\n         security configuration management weakness (i.e.,             Guard\xe2\x80\x99s Vista-based Standard Image 6.0.\n         outdated operating system software) on hosts               \xef\xbf\xbd Develop a RP with associated supporting\n         supporting CAS, FPD, NESSS, as well as those                  business case(s) to address the server\n         systems\xe2\x80\x99 network infrastructure and associated                operating system upgrades to include a\n         workstations.                                                 technical analysis to ensure Windows 2003\n                                                                       server upgrades do not adversely affect system\n         Table 1, starting on the next page, lists the conditions      operation.\n         as identified by the software tool used, the system\n                                                                    \xef\xbf\xbd Based upon the results of Recommendation 1\n         (host) impacted, effect statement, IT general control\n                                                                       and Recommendation 2, schedule and perform\n         area, software tool used to identify the condition, and\n                                                                       the upgrades and/or patches of the impacted\n         if the condition identified was a prior year IT audit\n                                                                       servers and workstations.\n         issue. The conditions listed in Table 1 are potentially\n         exploitable by an insider without specific knowledge\n         of the operation of the system or the applications\n         hosted on that system.\nCG-IT-   During our FY 2010 audit test work, we sampled 25          We recommend the Coast Guard\xe2\x80\x99s Operation               X                  2\n 10-14   new user accesses for NESSS that were granted during       Systems Center (OSC) update the NESSS account\n         the fiscal year to determine if an access authorization    management Standard Operating Procedure (SOP)\n         form had been completed, if the access had been            to provide clear guidance regarding the use of user\n         timely approved by the user\xe2\x80\x99s supervisor, and that the     access forms and update the access form to include\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 36\n\x0c                                                                                                                                    Appendix B\n                                                    Department of Homeland Security\n                                                Information Technology Management Letter\n                                                           September 30, 2010\n\nNFR                                                                                                                        New     Repeat   Severity\n                                Condition                                             Recommendation\n#No                                                                                                                        Issue    Issue    Rating\n         forms were retained. Based upon our testing, we were          an approval signature line.\n         unable to obtain 9 of the 25 user access forms. In\n         addition, evidence of supervisory approval for 9 of the\n         25 sampled users was not available.\n\nCG-IT-   During the FY 2010 audit test work, Aviation                  We recommend that Coast Guard:                       X                  1\n 10-15   Logistics Center (ALC) visitor logs for the fiscal year       \xef\xbf\xbd  Develop and maintain an SOP to ensure that\n         were obtained to determine whether proper                        the ALC Data Center Access Control list is\n         documentation was recorded and retained for the                  kept current and that its quarterly review is\n         verification of individuals visiting the ALC Data                documented and maintained; and\n         Center and Facility. Our testing determined that the          \xef\xbf\xbd Re-emphasize to all ALC Support Desk\n         ALC Customer Support Desk did not properly                       personnel (through training), the importance\n         complete the visitor logs during the FY 2010 audit               of properly maintaining the visitor log and to\n         period. Specifically, from a total of 190 visitor log            ensure it is filled out completely and\n         entries for the fiscal year, 33 visitor log entries did not      accurately.\n         have the Date-Out and Time-Out fields completed and\n         31 visitor log entries did not have the Sponsor field\n         completed.\n\n         Additionally, the ALC Data Center Access Listing\n         was obtained to determine whether a review of the\n         access listing was conducted and evidence of the\n         review was performed and maintained. Our testing\n         determined that the evidence of reviews of the Data\n         Center Access for the FY 2010 period was not\n         maintained. Therefore, we could not determine that\n         the Data Center Access Listing had been properly\n         reviewed during the year.\n\n\n\n\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 37\n\x0c                                                                                                                                Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                    New     Repeat   Severity\n                              Condition                                          Recommendation\n#No                                                                                                                    Issue    Issue    Rating\nCG-IT-   During the FY 2010 IT Audit, the Aviation                 We recommend that the Coast Guard configure the      X                  1\n 10-16   Maintenance Management Information System                 AMMIS application to enforce the strong\n         (AMMIS) password configuration settings were              password and password history requirements\n         obtained and tested to determine whether they             described in the DHS Management Directive\n         complied with DHS policy. Our testing determined          4300A Policy Directive and to update all impacted\n         that the AMMIS subsystem password configuration           Certification & Accreditation and system\n         settings do not comply with all of the required DHS       documentation accordingly.\n         password guidelines. Specifically, AMMIS password\n         configuration settings did not comply with the\n         following DHS password policy:\n\n             \xef\xbf\xbd   Contain a combination of alphabetic, numeric,\n                 and special characters \xe2\x80\x93 the AMMIS\n                 password requires a combination of\n                 alphabetic, numeric, or special characters; and\n\n             \xef\xbf\xbd   Not be the same as the previous 8 passwords.\n                 The AMMIS password configuration is set to\n                 be the same as the previous 6 passwords.\n\n         Additionally, our testing determined that the current\n         Aviation Logistics Management Information System\n         (ALMIS) System Security Plan (SSP), which includes\n         the system level requirements of the AMMIS\n         subsystem, states that the implemented password\n         configuration does not comply with the current DHS\n         password policy. Specifically, the ALMIS SSP states\n         that the password cannot be the same as the previous 6\n         passwords; however, DHS guidance states that\n         passwords cannot be the same as the previous 8\n         passwords.\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 38\n\x0c                                                                                                                                Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                    New     Repeat   Severity\n                              Condition                                           Recommendation\n#No                                                                                                                    Issue    Issue    Rating\n\n\n\n\nCG-IT-   To complement our IT audit testing efforts as part of      It is recommended that Coast Guard implement the    X                  2\n 10-17   the FY 2010 DHS Financial Statement Audit and              recommendations presented in Coast Guard IT-\n         Audit of Internal Control over Financial Reporting, we     NFR-10-06. No additional actions are required.\n         also performed social engineering testing. This testing\n         was conducted at key Coast Guard locations that\n         process, support and house Coast Guard financial data.\n         Social engineering is defined as the act of attempting\n         to manipulate or deceive individuals into taking action\n         that is inconsistent with DHS policies, such as\n         divulging sensitive information or allowing / enabling\n         computer system access. The term typically applies to\n         trickery or deception for the purpose of information\n         gathering, or gaining computer system access.\n\n         This was the second round of social engineering\n         testing conducted as part the FY 2010 DHS Financial\n         Audit and Audit of Internal Control over Financial\n         Reporting. Our initial testing occurred back on June\n         30th and July 1st. Our initial testing resulted in Coast\n         Guard IT-NFR-10-06 being issued. The testing\n         approach and scope for the second round of testing\n         was the same as the initial round.\n\n         During the course of our social engineering test work,\n         the objective was primarily focused on attempting to\n         obtain user passwords. Posing as DHS technical\n         support employees, attempts were made to obtain this\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 39\n\x0c                                                                                                                                 Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                     New     Repeat   Severity\n                              Condition                                           Recommendation\n#No                                                                                                                     Issue    Issue    Rating\n         type of account information by contacting randomly\n         selected USCG employees by telephone at two Coast\n         Guard locations, Headquarters (HQ) and the Coast\n         Guard Finance Center (FINCEN). A script was used\n         to ask for assistance from the user in resolving a\n         network issue at the Coast Guard. As presented in the\n         following table, for each person we attempted to call,\n         we noted whether the individuals were reached and\n         whether we obtained any information from them that\n         should not have been shared with us according to DHS\n         policy.      Our selection of individuals was not\n         statistically derived, and, therefore, we are unable to\n         project results to the component or department as a\n         whole.\nCG-IT-   Our testing determined that the evidence of reviews        We recommend that Coast Guard:                       X                  2\n 10-18   over the AMMIS audit logs for the FY 2010 audit            \xef\xbf\xbd Update the AMMIS Standard Operating\n         period were not maintained by ALC. Therefore, we              Procedures to address the audit log review and\n         could not determine if the AMMIS audit logs had been          retention procedures; and\n         properly reviewed during the year.                         \xef\xbf\xbd Implement separation of duties for the\n                                                                       AMMIS audit log reviews.\n         Additionally, our testing determined that reviews of all\n         deactivated AMMIS accounts may not have been\n         performed and evidence of the reviews was not\n         maintained by the ALC. Therefore, we could not\n         determine whether deactivated AMMIS accounts had\n         been properly monitored and reviewed during the\n         year.\n\n         Lastly, we were informed by the ALC that the\n         AMMIS audit logs were not being reviewed by an\n         individual that is considered independent to the\n         process.    We noted that an AMMIS system\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 40\n\x0c                                                                                                                                Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                    New     Repeat   Severity\n                             Condition                                          Recommendation\n#No                                                                                                                    Issue    Issue    Rating\n         administrator is responsible for reviewing the AMMIS\n         audit logs.\n\n\n\nCG-IT-   Our testing determined that evidence of a review and    We recommend that Coast Guard:                         X                  2\n 10-19   recertification of the 11,306 users with \xe2\x80\x9cUpdate\xe2\x80\x9d       \xef\xbf\xbd    Develop a RP with associated supporting\n         privilege in ALMIS was not maintained by the ALC.            business case(s) to address the 100% account\n         Therefore, we could not determine that ALMIS user            review requirement;\n         accounts had been properly reviewed and recertified     \xef\xbf\xbd Continue to coordinate with the DHS CISO\xe2\x80\x99s\n         during the year.                                             office to determine and formalize the\n                                                                      frequency and depth / breadth of effective\n                                                                      reviews that address the perceived risk. Based\n                                                                      upon the results of these discussions with the\n                                                                      DHS CISO\xe2\x80\x99s office, the Coast Guard will\n                                                                      modify procedures and develop, if applicable,\n                                                                      required waivers/exceptions to reflect an\n                                                                      adequate percentage of ALMIS user accounts\n                                                                      to be reviewed; and\n                                                                 \xef\xbf\xbd Continue to use its existing risk-based account\n                                                                      review efforts until such time that the\n                                                                      procedures are updated in response to the\n                                                                      activities associated with the second\n                                                                      recommendation.\nCG-IT-   Our testing determined that the AMMIS Software          We recommend that Coast Guard establish and            X                  1\n 10-20   Change Request Forms were not appropriately             follow a management review process to ensure\n         authorized. Specifically, for the four (4) AMMIS        that any new AMMIS SCRs processed will be\n         software changes made during the fiscal year, two (2)   reviewed by the PC team for the proper / required\n         of the software change request forms were not signed    signatures.\n         by the Division Chief.\n\n\n\n\n                   Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                      Page 41\n\x0c                                                                                                                                 Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                     New     Repeat   Severity\n                              Condition                                          Recommendation\n#No                                                                                                                     Issue    Issue    Rating\nCG-IT-   During our FY 2010 audit test work over the NESSS         Coast Guard took appropriate corrective action to     X                  2\n 10-21   recertification process, we noted that 32 users were      remediate the exception that was identified and no\n         assigned the role FLS_USR_ADM_GRP within the              additional corrective actions are required.\n         NESSS application. This role grants the ability to add,\n         modify, and delete user accounts. In addition, two (2)\n         of these users were system administrators. This\n         number of users with this elevated role was considered\n         excessive based upon the ratio of this role to the\n         NESSS user population.\n\n         On October 7, 2010, OSC management remediated the\n         condition by reducing the number of users with the\n         FLS_USR_ADM_GRP role down to six.\n\nCG-IT-   We determined that Operations System Center               We recommend that Coast Guard:                                 X         2\n 10-22   (OSC) had updated the policies and procedures for         \xef\xbf\xbd  Update the SAM and NESSS audit log review\n         System Administrators (SAs) and Database                     procedures within the Standard Operating\n         Administrators (DBAs) to include more detail and             Procedures to include more detail in the\n         instructions on entering sufficient evidence                 ClearQuest Tickets including recording the\n         regarding the weekly non-independent audit log               results of the review of the audit logs;\n         reviews documented and tracked in the ClearQuest          \xef\xbf\xbd Implement similar separation of duties for the\n         Ticketing system. We also noted that the monthly             NESSS audit log reviews as have been\n         SAM audit log reviews were being conducted by an             implemented for the SAM audit log reviews;\n         independent team.                                            and;\n                                                                   \xef\xbf\xbd Continue with ongoing efforts for identifying,\n         Although OSC has taken steps to remediate the prior\n                                                                      designing, and implementing automated tools\n         year conditions by updating the policies and\n                                                                      to assist in audit log collection, storage,\n         completing the monthly independent reviews, we\n                                                                      analysis, and reporting which will further\n         determined that the 3 sampled months of SA and\n                                                                      improve consistency, timeliness, and accuracy\n         DBA audit log reviews did not have sufficient detail\n                                                                      of the reviews when compared with labor and\n         on the ClearQuest tickets.       Specifically, we\n                                                                      time intensive manual processes.\n         identified the following:\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 42\n\x0c                                                                                                           Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                               New     Repeat   Severity\n                            Condition                                 Recommendation\n#No                                                                                               Issue    Issue    Rating\n          \xef\xbf\xbd    1 of the 3 SA monthly reviews did not have\n               a searchable title\n          \xef\xbf\xbd    2 of the 3 SA monthly reviews did not\n               include results of the audit log review (i.e.,\n               audit logs had no exceptions.)\n          \xef\xbf\xbd    3 of the 3 DBA monthly reviews did not\n               list the logs that were included in the\n               review\n          \xef\xbf\xbd    3 of the 3 DBA monthly reviews did not\n               have results of the audit log reviews\n\n      As a result of limitations of the underlying operating\n      system of the Shore Asset Management System AM\n      system:\n           \xef\xbf\xbd The servers do not automatically alert in\n               the event of an incident.\n           \xef\xbf\xbd The server operating systems do not\n               inherently provide audit reduction and\n               report generation capability.\n\n      Furthermore, the OSC has not implemented a\n      centralized log solution for audit log reduction and\n      reporting, and automated alert notifications.\n\n      NESSS Audit Logs:\n      During our FY 2010 test work for the NESSS, we\n      noted that daily and weekly audit log reviews are\n      performed by the NESSS System Administrator.\n      The weekly audit log reviews are documented in the\n      ClearQuest system with a running ticket for the\n      calendar year. Each week\xe2\x80\x99s review is added to the\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 43\n\x0c                                                                                                                                Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                    New     Repeat   Severity\n                              Condition                                          Recommendation\n#No                                                                                                                    Issue    Issue    Rating\n         ClearQuest ticket. However, we determined that\n         there is not sufficient detail in the ClearQuest ticket\n         in recording the results of the review of the audit\n         logs. Furthermore, as similar to SAM audit log\n         review process listed above, OSC has not\n         implemented a centralized log solution for audit log\n         reduction and reporting, and automated alert\n         notifications. In addition, the weekly reviews are\n         performed by the NESSS System Administrator,\n         who is not considered an independent party as\n         required by DHS MD 4300A.\nCG-IT-   During the FY 2010 audit test work, the OSC data          We recommend that Coast Guard develop detailed       X                  1\n 10-23   center access listing was obtained in order to            procedures for:\n         determine whether a review of the access listing was      \xef\xbf\xbd Quarterly data center access reviews to\n         conducted and evidence of the review was maintained.          include validating that users have a physical\n         OSC informed us that they perform a review of the             need to access the data floor; and\n         data center access on a quarterly basis. However, our     \xef\xbf\xbd Methods for maintaining the review\n         testing determined that the evidence of reviews               documentation.\n         concerning OSC data center access for the FY 2010\n         period was not maintained. Therefore, we could not\n         determine whether the OSC data center access listing\n         had been properly reviewed during the year.\n\nCG-IT-   During prior financial statement audits dating back to    We recommend Coast Guard to:                                  X         3\n 10-24   FY 2003, we noted that the implementation and             \xef\xbf\xbd Continue to implement and improve upon\n         oversight of the Coast Guard\xe2\x80\x99s information security          the monitoring of compliance with DHS,\n         controls needed various improvements. In FY 2010,            Coast Guard, and Federal security policies\n         continued improvements have been made in the areas           and procedures in the areas of script\n         of access controls, entity-level controls, and               configuration management controls to\n         configuration management. Improvements in the IT             include the use of the automated tools\n         control environment were identified at each of the           deployed at the FINCEN; and\n         Coast Guard financial processing locations where IT       \xef\xbf\xbd Develop and implement corrective action\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 44\n\x0c                                                                                                                                  Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                      New     Repeat   Severity\n                              Condition                                           Recommendation\n#No                                                                                                                      Issue    Issue    Rating\n         audit was previously conducted.                               plans to address and remediate the NFRs\n                                                                       issued during the FY 2010 audit.\n         However, significant improvements are still warranted\n         in the area of script configuration management\n         controls for the key financial systems located at the\n         FINCEN. Script configuration management control is\n         the subject of the significant control deficiencies\n         identified and recommendations that were developed\n         during the audit. Other weaknesses continued to exist,\n         to a lesser extent, in the areas of access controls and\n         entity-wide security at each of the Coast Guard\n         financial processing locations.       These continued\n         weaknesses require Coast Guard to continue with the\n         implementation of their corrective actions plans and\n         monitoring efforts.\n\n         As a result of our audit test work and supported by all\n         the IT NFRs issued during the current year, we\n         determined that Coast Guard is non-compliant with the\n         Federal Financial Management Improvement Act\n         (FFMIA).\n\nCG-IT-   During our FY 2010 year-end IT roll-forward audit         The process for obtaining written sign-off on PIR      X                  1\n 10-25   testing procedures, we determined that one (1) of the     forms has recently been replaced with an\n         five (5) Financial Procurement Desktop (FPD),             automated workflow process that eliminates the\n         Production Implementation Request (PIR) forms             need for written approvals; therefore no additional\n         tested was not signed off on by the                       corrective actions are required.\n         analyst/submitter/implementer as required per the\n         FINCEN PIR form.\n\n\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 45\n\x0c                                                                                                                                Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                    New     Repeat   Severity\n                              Condition                                          Recommendation\n#No                                                                                                                    Issue    Issue    Rating\nCG-IT-   During the FY 2010 audit test work, we determined         We recommend that Coast Guard develop,               X                  2\n 10-26   that ALC policies and procedures for the following        document, communicate, train, test, and\n         control areas are not adequately detailed to provide      continuously maintain policies and procedures for\n         clear and complete control descriptions for each of the   the cited control and process areas.\n         following processes:\n\n             \xef\xbf\xbd   Physical Access to the data center and\n                 systems in the data center;\n             \xef\xbf\xbd   Access to Program Libraries;\n             \xef\xbf\xbd   Segregation of Duties in support of the\n                 AMMIS application;\n             \xef\xbf\xbd   AMMIS Audit Log Review and Retention;\n             \xef\xbf\xbd   Backups and Data Restoration; and,\n             \xef\xbf\xbd   Offsite Storage of Backup media.\n\nCG-IT-   The NESSS\xe2\x80\x99 Oracle verify_function in the SYS              We recommend that Coast Guard review and             X                  1\n 10-27   schema is incorrectly configured and does not include     update the Oracle verify function in the SYS\n         verification of special characters for passwords.         schema to include the verification of special\n                                                                   characters for passwords.\n\nCG-IT-   During our FY 2010 audit test work, we followed up        We recommend Coast Guard continue with the                    X         1\n 10-28   with Coast Guard management and were notified that        PeopleSoft 9.0 upgrade and PeopleSoft Portal\n         this Direct Access audit logging weakness, noted in       implementation.\n         FY 2009, cannot be resolved until Direct Access is\n         updated to PeopleSoft version 9. There is no current\n         timeline for the upgrade to take place. The following\n         conditions were noted last year and are still open in\n         FY 2010.\n         Not all Direct Access failed logon attempts are logged\n         or reviewed; and account management audit logs for\n         the Direct Access application are not reviewed on a\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 46\n\x0c                                                                                                           Appendix B\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2010\n\nNFR                                                                                               New     Repeat   Severity\n                           Condition                                Recommendation\n#No                                                                                               Issue    Issue    Rating\n      monthly basis, which is a requirement set forth within\n      DHS Policy.\n\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 47\n\x0c                                                                             Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n            Department of Homeland Security\n FY 2010 Information Technology - Notice of Findings and\n               Recommendations \xe2\x80\x93 Detail\n\n             \xef\xbf\xbd Customs and Border Protection (CBP)\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 48\n\x0c                                                                                                                                               Appendix B\n                                                          Department of Homeland Security\n                                                      Information Technology Management Letter\n                                                                 September 30, 2010\n\n                                                 Notice of Findings and Recommendations \xe2\x80\x93 Detail\n                                                          Customs and Border Protection\nNFR                                                                                                                                   New     Repeat    Risk\n                               Condition                                                  Recommendation\n#No                                                                                                                                   Issue    Issue   Rating\n CBP-    This is a system-level finding. KPMG noted that CBP          CBP should implement procedures to reinforce adherence to                 X        2\nIT-10-   portal accounts for separated employees are removed          guidance requiring timely notification of separations by\n  01     on a bi-weekly basis and are not removed on the day of       employees or contractors with access to ACE. Those\n         the individual\xe2\x80\x99s separation as required by CBP and           responsible for ACE access control need to be notified of a\n         DHS policy. KPMG did note that CBP is aware of the           separation no later than the day of separation.\n         issue and is looking into an automated solution for\n         compliance with CBP and DHS policy. Upon further\n         testing of terminated employees, KPMG did not find\n         any users that had accessed the system after their\n         separation date from CBP.\n\n CBP-    This is a system level finding. KPMG noted that ACE          CBP Office of Information and Technology will continue to                 X        2\nIT-10-   is not currently configured to prevent incompatible          work with the Office of International Trade, Office of\n  02     roles from being assigned to a user, as required by CBP      Administration and Office of Field Operations to identify\n         and DHS policies. While, initial steps have been taken       incompatible roles and develop procedures as part of the\n         to address formal segregation of duties within the           access control process to ensure that these role combinations\n         system, no additional actions have taken place.              are not granted to ACE users, except when a waiver is\n                                                                      granted in writing.\n\n CBP-    This is a system-level finding. KPMG noted that              We recommend that CBP maintain evidence that regular                      X        2\nIT-10-   evidence of completed ACE system log (Syslog)                reviews of audit logs are occurring.     Specifically, we\n  03     reviews did not include an appropriate level of detail.      recommend that CBP continue with plans initiated in July of\n         Specifically, during the majority of FY 2010, there was      2010 to institutionalize a more formal method of\n         no formal method of documenting who performed the            documenting who performed reviews of audit logs, when\n         audit log reviews, when they were reviewed, what             these reviews occurred, and what issues (if any) were\n         issues (if any) were identified, and the actions taken (if   identified.\n         applicable). KPMG noted that procedures regarding\n         the review of ACE audit logs have been established           We also recommend that CBP perform a cost/benefit\n         prior to FY 2010, and that management is currently           analysis to determine whether an ACE custom-developed\n         implementing a formal method of documenting the              solution or a purchased COTS product should be\n         requisite system log review information.                     implemented for full automation of audit log reviews.\n\nCBP-     Social engineering is defined as the act of attempting to    We recommend that CBP implement multiple types of                X                 2\n\n                            Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                               Page 49\n\x0c                                                                                                                                         Appendix B\n                                                         Department of Homeland Security\n                                                     Information Technology Management Letter\n                                                                September 30, 2010\n\nNFR                                                                                                                             New     Repeat    Risk\n                               Condition                                              Recommendation\n#No                                                                                                                             Issue    Issue   Rating\nIT-10-   manipulate or deceive people into taking action that is    security awareness reminders and opportunities to educate\n  05     inconsistent with policies, such as divulging sensitive    users of the importance of protecting CBP information\n         information or allowing / enabling computer system         systems and data. Specifically, we recommend that social\n         access. The term typically applies to trickery or          engineering evaluations be incorporated into routine site\n         deception for the purpose of information gathering, or     inspections to test employee\xe2\x80\x99s security awareness and to\n         computer system access.                                    educate users on how to respond to information security\n                                                                    attacks.\n         The objective of our social engineering test work\n         primarily focused on attempting to identify user\n         passwords.     Posing as DHS technical support\n         employees, attempts were made to obtain this type of\n         account information by contacting randomly selected\n         employees by telephone. A script was used to ask for\n         assistance from the user in resolving a network issue in\n         the component. For each person we attempted to call,\n         we noted in the table below whether the individual\n         answered and whether we obtained any information\n         from them that should not have been shared with us\n         according to DHS policy. Our selection of individuals\n         was not statistically derived, and therefore we are\n         unable to project results to the component or\n         department as a whole.\n\n         Of 25 individuals called, 16 answered. Of the 16 that\n         answered, 2 divulged their network password.\n\n CBP-    This is a system-level finding. KPMG requested             We recommend that the Office of Information and                       X        2\nIT-10-   access authorization documentation for 25 individuals      Technology (OIT) issue a memorandum and distribute the\n  06     who were granted ACE access during FY 2010. Initial        procedures to the respective CBP Offices to implement. We\n         access requests and approvals for 9 of these individuals   also recommend that monitoring procedures be established\n         were not provided. Although a process for creating and     to ensure compliance with the procedures and that OIT\n         maintaining user access forms and requests has been in     coordinate a meeting with the other CBP Offices to\n         place since before the beginning of FY 2010, access        determine if centralized access control measures are\n         approvals prior to the creation of ACE accounts were       necessary.\n         not consistently maintained in accordance with CBP\n         policy and procedures.\n                           Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                              Page 50\n\x0c                                                                                                                                             Appendix B\n                                                         Department of Homeland Security\n                                                     Information Technology Management Letter\n                                                                September 30, 2010\n\nNFR                                                                                                                                 New     Repeat    Risk\n                               Condition                                                Recommendation\n#No                                                                                                                                 Issue    Issue   Rating\n\n CBP-    We performed after-hours physical security testing to      CBP should continue its annual security awareness training.               X        2\nIT-10-   identify risks related to non-technical aspects of IT       In addition, it should seek to add other means of increasing\n  07     security. These non-technical IT security aspects          security awareness.\n         include physical access to equipment that houses\n         financial data and information residing on CBP\n         personnel desks, which could be used by others to\n         inappropriately access financial information. The\n         testing was performed at various CBP locations that\n         process and/or maintain financial data.        A CBP\n         employee was designated to assist with and monitor\n         our test work. After gaining access to CBP facilities,\n         we inspected a selection of desks and/or offices,\n         looking for items such as improper protection of\n         system passwords, unsecured information system\n         hardware, documentation marked FOUO, and unlocked\n         network sessions. Our selection of desks and offices\n         was not statistically derived, and therefore we are\n         unable to project results to the component or\n         department as a whole. For each location visited, we\n         note the type of unsecured information or property we\n         identified and included the total exceptions noted by\n         location, as well as by type of information or property\n         identified.\n\n         A total of 102 instances were identified across the six\n         locations where physical assets or sensitive information\n         was not secured in accordance with DHS and/or CBP\n         policies.\n\n CBP-    This is a component-level finding. KPMG noted that         We recommend that CBP review the current Customs                          X        2\nIT-10-   separation procedures for contract employees (Customs      Directive and update it to reflect the current operating\n  08     Directive 51715-006) are out of date and include           environment. Additionally, we recommend that CBP require\n         incomplete and inaccurate references. Specifically, the    the consistent and accurate completion of the SF 242 for all\n         procedures have not been updated since September           separating contractors with access to CBP facilities,\n         2001. The procedures reference Treasury facilities and     information systems and/or sensitive information.\n                           Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                              Page 51\n\x0c                                                                                                                                           Appendix B\n                                                        Department of Homeland Security\n                                                    Information Technology Management Letter\n                                                               September 30, 2010\n\nNFR                                                                                                                               New     Repeat    Risk\n                              Condition                                               Recommendation\n#No                                                                                                                               Issue    Issue   Rating\n         Treasury policies as source documentation. KPMG\n         notes that a new directive, CBP Directive 1210-007,\n         entitled \xe2\x80\x98Contractor Tracking System,\xe2\x80\x99 was issued\n         requiring the use of the Contractor Tracking System;\n         however, the new directive still refers to out of date\n         Customs Directive 51715-006 for separation\n         procedures for contractor employees.\n\n         Additionally, KPMG noted that SF 242 contractor\n         separation forms are not completed consistently for\n         separating CBP contractors. Specifically, KPMG noted\n         that of 45 separated contractors with access to CBP\n         facilities, information systems, and/or sensitive\n         information who were selected for testing, 9 forms\n         were not completed, were not provided, or were not\n         completed in a timely manner.\n\n CBP-    This is a component level finding. KPMG selected 45       We recommend that CBP review the validity of the CBP                     X        2\nIT-10-   government employees that had separated in FY 2010        Form 241 Employee Separation process and determine an\n  09     and noted that 19 of these individuals did not have a     alternate mechanism to hold managers accountable for\n         completed CBP Form 241 on file.                           timely notification of employee separations and for\n                                                                   confirming the termination of access to information systems,\n                                                                   and the return of property and equipment.\n\n CBP-    This is a component level finding. While KPMG notes       We recommend that CBP implement a more consistent                        X        2\nIT-10-   that progress has been made in implementing               method of ensuring that each contractor employee in\n  10     procedures requiring the signing of NDAs, KPMG            moderate and high-risk positions sign and date a NDA.\n         noted that NDAs are still not consistently completed by\n         contractors at CBP. Specifically, KPMG noted that out\n         of a selection of 45 contractors, one NDA was signed\n         more than four months after the hire date. In addition,\n         one NDA was not provided for a contractor in a\n         medium or high risk position. Further, KPMG noted\n         that the NDAs for 27 contractors in medium or high\n         risk positions did not have a date of signature.\n\n                           Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                              Page 52\n\x0c                                                                                                                                            Appendix B\n                                                         Department of Homeland Security\n                                                     Information Technology Management Letter\n                                                                September 30, 2010\n\nNFR                                                                                                                                New     Repeat    Risk\n                               Condition                                                Recommendation\n#No                                                                                                                                Issue    Issue   Rating\n CBP-    This is a component-level finding. KPMG has noted           We recommend that CBP continue installing             and               X        2\nIT-10-   that CBP has not been able to provide evidence that         develop, implement, and monitor policies and procedures to\n  11     workstations not on                       are receiving     move all workstations to                     or to obtain\n         anti-virus and other security patch updates on a timely     waivers and compensating controls for those workstations\n         basis. KPMG noted that while progress has been made         that cannot be moved to                .\n         in accounting for all CBP workstations, a complete and\n         up-to-date listing of all CBP workstations has not been\n         maintained for the majority of FY 2010. As a result,\n         CBP does not have an accurate inventory of which\n         workstations have not received anti-virus and other\n         security patch updates.\n\n CBP-    CBP\xe2\x80\x99s RBST Program does not meet the DHS                    We recommend that CBP re-examine its role-based training       X                 2\nIT-10-   requirements for \xe2\x80\x9cannual specialized training\xe2\x80\x9d that is      program and consider implementing the DHS Role-Based\n  12     \xe2\x80\x9ccommensurate with the individual\xe2\x80\x99s duties and              Security Training Program once it has been implemented at\n         responsibilities.\xe2\x80\x9d Specifically, the CBP RBST program       the department level.\n         requires IT personnel to complete only one hour of\n         Incident Response training, and one hour of Classified\n         Information training (if applicable to the individual\xe2\x80\x99s\n         responsibilities) annually.\n\n         Furthermore, out of the sampled 45 CBP personnel\n         with significant IT security responsibilities, 5\n         completed the training after CBP\xe2\x80\x99s internal June 30,\n         2010 deadline. In addition, another eight have yet to\n         complete the training.\n\n CBP-    This is a component-level finding. We noted the             We recommend that management develop tools and                 X                 2\nIT-10-   following weaknesses related to access to the raised        procedures for facilitating and documenting the\n  13     floor area:                                                 approval/recertification and review of individual access to\n         \xef\xbf\xbd We reviewed access request authorizations to the          the raised floor area.\n              raised floor area of        and noted that of the 45\n              individuals selected, 1 authorized access form was\n              not provided.\n         \xef\xbf\xbd We reviewed evidence of the recertification of\n                            Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                               Page 53\n\x0c                                                                                                                                          Appendix B\n                                                         Department of Homeland Security\n                                                     Information Technology Management Letter\n                                                                September 30, 2010\n\nNFR                                                                                                                              New     Repeat    Risk\n                              Condition                                                Recommendation\n#No                                                                                                                              Issue    Issue   Rating\n             individuals with access to the raised floor area and\n             noted that of the 15 selected individuals, 2 had not\n             yet been recertified.\n\n CBP-    This is a system level finding. KPMG noted that            We recommend that CBP formalize a detailed procedure for               X        2\nIT-10-   although changes to a user\xe2\x80\x99s ACS access profile are        the review of ACS security profile change logs. The\n  14     logged, the logs of these events are not regularly         procedure should include implementing a periodic review of\n         reviewed by personnel independent from those               the logs by an independent reviewer.\n         individuals that made the changes.\n\n CBP-    During our technical testing, patch and configuration                                                                    X                 2\nIT-10-   management exceptions were identified on the\n  15\n\n\n\n\n                                                                                                                        .\n\n\n\n                           Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                              Page 54\n\x0c                                                                                                                                                Appendix B\n                                                         Department of Homeland Security\n                                                     Information Technology Management Letter\n                                                                September 30, 2010\n\nNFR                                                                                                                                    New     Repeat    Risk\n                               Condition                                                 Recommendation\n#No                                                                                                                                    Issue    Issue   Rating\n\n                                   .\n\n CBP-    This is a system-level finding and a prior year issue      We recommend that CBP devote sufficient resources in                         X        2\nIT-10-   from FY 2008 and FY 2009. KPMG determined that             order to implement and maintain formal ISAs with the PGAs\n  16     evidence of ISAs for 6 of the 17 PGAs identified in the    that interconnect with ACS. We recommend that CBP\n         System Security Plan could not be provided. Of the six     document ISAs for all ACS PGA connections identified in\n         that were provided, two expired during FY2010 and          the ACS SSP.\n         had not been renewed.\n\n CBP-    This is a system-level finding. We requested access        We recommend that CBP implement procedures to                                X        2\nIT-10-   authorization evidence for 45 ACS users to determine       consistently document the access requests and approvals for\n  17     whether ACS access was appropriately authorized.           any and all access creations and changes to ACS user\n         OIT was unable to provide evidence of the access           profiles.\n         request authorizations for any of the 45 selected ACS\n         users. As a result, we are not able to determine\n         whether ACS access initiations or modifications were\n         appropriately approved and whether ACS access\n         controls are in place and operating as required by DHS\n         and CBP policies.\n\n CBP-    This is a component level finding. We noted that           We recommend that CBP update the access authorization               X                 1\nIT-10-   access request forms, or evidence of recertification of    process to indicate that the access list will undergo a 100%\n  18     access, to the offsite media could not be provided for 5   recertification annually. The artifact should be an official\n         of the 15 selected employees.                              report from the Contracting Officer Technical Representative\n                                                                    for offsite media storage clearly stating the results along with\n                                                                    backup paperwork for all add, deletes, and changes to the\n                                                                    access list.\n\n CBP-    This is a system level finding. We were informed that      We recommend that CBP develop and implement procedures                       X        2\nIT-10-   ACS Security Audit Logs are not being reviewed.            that document the review process for ACS profile change\n  19     Additionally, we noted that the following weaknesses       logs. The process should include the documented evidence\n         related to the ACS Security Audit Logs procedures          of review, how often audit logs are reviewed, and the review\n         continue to exist:                                         sampling methodology.\n         \xef\xbf\xbd Procedures do not define how often the ACS\n                           Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                              Page 55\n\x0c                                                                                                                                              Appendix B\n                                                         Department of Homeland Security\n                                                     Information Technology Management Letter\n                                                                September 30, 2010\n\nNFR                                                                                                                                  New     Repeat    Risk\n                               Condition                                                Recommendation\n#No                                                                                                                                  Issue    Issue   Rating\n             security profile change audit logs are reviewed.\n         \xef\xbf\xbd   Procedures do not describe how the documented\n             evidence of the review process is created by the\n             ACS Information System Security Officer\n             (ISSO)/Independent Reviewer.\n         \xef\xbf\xbd   Procedures do not define the sampling\n             methodology that is used to select ACS profile\n             change security logs for review\n\n CBP-    This is a system-level finding. We noted the following      As the conditions were        closed   during   testing,   no             X        2\nIT-10-   weaknesses related to the               e configuration     recommendation is required.\n  20     settings:\n         \xef\xbf\xbd KPMG noted that users were allowed an\n              number of failed attempts to access datasets to\n              which they were not authorized.             KPMG\n              determined that the control option in the security\n              software, which results in immediate suspension of\n              any user who exceeds the specified number of\n              violations, had not been configured properly.\n              KPMG noted that this setting was corrected on\n              February 24, 2010.\n         \xef\xbf\xbd KPMG noted that users were allowed              failed\n              logon attempts before their accounts were locked.\n              At the end of the fiscal year the setting was\n              updated to three failed login attempts, and KPMG\n              observed the setting in the system and noted that it\n              was corrected on September 24, 2010.\n\n CBP-    This is a component level finding. We noted the             We recommend that CBP:                                                    X        2\nIT-10-   following weaknesses related to the CBP Background          \xef\xbf\xbd Complete via e-QIP the \xe2\x80\x9cinitiation\xe2\x80\x9d of all remaining\n  21     Investigation process:                                         employee reinvestigations by December 30, 2010.\n         \xef\xbf\xbd Of the 45 individuals selected, we noted that 1           \xef\xbf\xbd Complete the reinvestigations for all such employees by\n              contractor did not have a completed background            December 30, 2011.\n              investigation as required by the CBP Information       \xef\xbf\xbd Develop/deploy a tracking mechanism (Contractor\n              System Security Policies and Procedures                   Tracking System) by which to identify those contractors\n                            Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                               Page 56\n\x0c                                                                                                                                           Appendix B\n                                                       Department of Homeland Security\n                                                   Information Technology Management Letter\n                                                              September 30, 2010\n\nNFR                                                                                                                               New     Repeat    Risk\n                              Condition                                               Recommendation\n#No                                                                                                                               Issue    Issue   Rating\n             Handbook. We noted that this contract has access         requiring reinvestigation.\n             to the Automated Commercial Environment (ACE)        \xef\xbf\xbd   Develop and implement a strategy to ensure that\n             system.                                                  reinvestigations for all contractors are initiated as\n         \xef\xbf\xbd   Of the 45 individuals selected, we noted that 5          required.\n             employees and 25 contractors did not have their\n             background reinvestigations initiated within the\n             five year timeframe as required by CBP\n             Memorandum Regarding Reinvestigations, dated\n             August 18, 2008.\n\n CBP-    This is a system-level finding. ACS developers may       KPMG recommends that CBP reports on the TSS audit of             X                 2\nIT-10-   gain emergency/temporary access to the production        emergency access should be run as needed at management\xe2\x80\x99s\n  22     environment through the portal request process. While    (e.g., emergency approver\xe2\x80\x99s) request.\n         the emergency/temporary account activities are logged,\n         CBP does not review these activity logs to identify\n         inappropriate activities.\n\n CBP-    This is a system-level finding. Access approvals prior   We recommend that CBP fully transition their process for         X                 2\nIT-10-   to the creation of NDC-LAN accounts were not             requesting NDC-LAN Network access from the paper-based\n  23     consistently maintained in accordance with CBP policy    user access request form to an electronic user access request\n         and procedures. KPMG requested access authorization      form. Once the electronic form is fully implemented, the\n         documentation for 25 individuals who were granted        documented process will be updated to reflect that all NDC-\n         NDC-LAN access during FY 2010. Although a                LAN user access requests must go to the Technology Service\n         process for creating and maintaining user access forms   Desk (TSD) for action. TSD will generate a trouble ticket\n         and requests has been in place since before the          and attach the electronic access request form to the initial\n         beginning of FY 2010, initial access requests and        user request ticket for NDC-LAN access. The ticket will be\n         approvals for 10 of these individuals were not           issued in the name of the user gaining the access so it is\n         provided.                                                easily searchable.\n\n                                                                  TSD is currently in the development phase for a new user\n                                                                  account request portal which will provide a secure online\n                                                                  environment for managing this process. This new tool will\n                                                                  allow requestors the ability to complete and submit LAN and\n                                                                  eMail account requests via online web form. Once the\n                                                                  request is reviewed and approved by the CBP supervisor, a\n\n                           Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                              Page 57\n\x0c                                                                                                                                             Appendix B\n                                                         Department of Homeland Security\n                                                     Information Technology Management Letter\n                                                                September 30, 2010\n\nNFR                                                                                                                                 New     Repeat    Risk\n                              Condition                                                 Recommendation\n#No                                                                                                                                 Issue    Issue   Rating\n                                                                    ticket will be automatically generated (bypassing the need of\n                                                                    saving/attaching and emailing the TSD) and routed to the\n                                                                    appropriate group for processing. A log will be captured and\n                                                                    saved in the new system for each approved/denied request\n                                                                    for future reference.\n\n CBP-    CBP has not corrected functionality issues currently       To address this finding, CBP recommends that it continue to:     X                 2\nIT-10-   noted in ACS, and routine maintenance is increasingly      \xef\xbf\xbd   Modernize its business processes though the\n  24     difficult and expensive. Currently, only two vendors           development and deployment of functionality in the\n         support ACS, which limits CBP\xe2\x80\x99s ability to obtain              Automated Commercial Environment as it has done\n         maintenance services at a reasonable cost. During FY           since 2001.\n         2010, CBP spent nearly $12.1 million just to maintain      \xef\xbf\xbd Work with           stakeholders, including CBP personnel,\n         ACS at its current level of functionality. In addition,        the trade, participating government agencies, the\n         CBP is currently re-visiting the amount of funding             Department of Homeland Security and the Congress to\n         necessary to complete the implementation of the ACE            prioritize, develop, and deploy functionality that allows\n         financial modules and will complete this analysis in FY        CBP to fulfill its mission and meet the needs of its\n         2011.                                                          stakeholders.\n                                                                    \xef\xbf\xbd Seek funds through the budget process that will allow\n         Due to these conditions regarding the functionality of\n                                                                        CBP to continue to develop and deploy functionality in\n         ACS and delayed implementation of ACE, CBP has\n                                                                               that will support CBP\xe2\x80\x99s mission and meet the\n         not resolved the following known ACS functionality\n                                                                        needs of its stakeholders.\n         issues:\n\n         \xef\xbf\xbd   ACS lacks the controls necessary to prevent, or\n             detect and correct excessive drawback claims. The\n             programming logic in ACS does not link drawback\n             claims to imports at a detailed, line item level. In\n             addition, ACS does not have the capability to\n             compare, verify, and track essential information on\n             drawback claims to the related underlying\n             consumption entries and export documentation\n             upon which the drawback claim is based. Export\n             information is not linked to the Drawback module\n             and therefore electronic comparisons of export data\n             cannot be performed within ACS. See NFR CBP-\n             10-20 for further details.\n                           Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                              Page 58\n\x0c                                                                                                                      Appendix B\n                                                      Department of Homeland Security\n                                                  Information Technology Management Letter\n                                                             September 30, 2010\n\nNFR                                                                                                          New     Repeat    Risk\n                           Condition                                        Recommendation\n#No                                                                                                          Issue    Issue   Rating\n      \xef\xbf\xbd   Certain monitoring reports used to monitor\n          (review) importer compliance with the in-bond\n          process have not been developed and therefore\n          importer compliance is not being tracked. In\n          addition, in-bonds are not automatically linked to\n          the relevant entry or export filings in ACS, which\n          leads to extensive manual work to close open in-\n          bonds. Finally, ACS does not provide the ability to\n          run oversight reports to determine if ports have\n          completed all required in-bond post audits and\n          exams. See NFR CBP-10-14 for further details.\n      \xef\xbf\xbd   ACS does not properly account for bond\n          sufficiency of claims that involve a continuous\n          bond and therefore a claimant can potentially claim\n          and receive an accelerated payment that exceeds\n          the bond amount on file. As a result, CBP will not\n          have sufficient surety against a drawback over\n          claiming. See NFR CBP-10-05 for further details.\n      \xef\xbf\xbd   ACS does not provide summary information of the\n          total unpaid assessments for duties, taxes, and fees\n          by individual importer (i.e., a sub-ledger) and\n          cannot provide reporting information on\n          outstanding receivables, the age of receivables, or\n          other data necessary for management to effectively\n          monitor collection actions. See NFR CBP-10-04\n          for further details.\n      \xef\xbf\xbd   The drawback selectivity function of ACS is not\n          programmed to select a statistically valid sample of\n          prior drawback claims against a selected import\n          entry. See NFR CBP-10-03 for further details.\n      \xef\xbf\xbd   ACS is programmed to automatically indicate that\n          a Port Director certified a refund or drawback\n          payment even if the Port Director does not certify a\n          given payment. See NFR CBP-10-19 for further\n          details.\n\n                        Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                           Page 59\n\x0c                                                                                                    Appendix B\n                             Department of Homeland Security\n                         Information Technology Management Letter\n                                    September 30, 2010\n\nNFR                                                                                        New     Repeat    Risk\n        Condition                                    Recommendation\n#No                                                                                        Issue    Issue   Rating\n\n\n\n\n      Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                         Page 60\n\x0c                                                                             Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n            Department of Homeland Security\n FY 2010 Information Technology - Notice of Findings and\n               Recommendations \xe2\x80\x93 Detail\n\n              Federal Emergency Management Agency\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 61\n\x0c                                                                                                                                       Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n                                        Notice of Findings and Recommendations \xe2\x80\x93 Detail\n                                            Federal Emergency Management Agency\n\nNFR                                                                                                                            New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                            Issue    Issue Rating\nFEMA-    During FY 2010, FEMA finalized and documented              \xef\xbf\xbd   Complete the initial recertification of all existing             X      3\nIT-10-   requirements, and initiated automated technical                NACS accounts and related positions initiated in\n  01     processes and controls related to the NEMIS Access             April 2010 to ensure that all active NEMIS\n         Control System (NACS) Position Re-Approval Project             accounts and their associated privileges are\n         (NPRP). Specifically, Enterprise Operations Branch             appropriately authorized; and\n         personnel have begun systematically expiring position\n         assignments and requiring supervisor reauthorization of    \xef\xbf\xbd   Ensure that all NACS accounts and related\n         a subset of NACS accounts and related positions                positions are recertified by the user\xe2\x80\x99s appropriate\n         progressively over a 180 day period. Due to the                supervisor no less than annually, in accordance\n         volume of active positions, FEMA management stated             with DHS policy.\n         that the recertification process will recertify all NACS\n         positions after the 180 days and is anticipated to be\n         completed in FY 2011.\n         Thus, while we noted that improvements were made by\n         developing and implementing an automated process for\n         recertifying all NACS accounts and related positions,\n         including those related to NEMIS access, initial\n         recertification to review and revalidate all NACS\n         accounts and positions has still not been completed.\nFEMA-    FEMA has not established an alternate processing site      \xef\xbf\xbd   Continue and complete efforts required to establish              X      3\nIT-10-   for NEMIS. Additionally, an exception to DHS policy            and implement an alternate processing site for\n  02     for the lack of an established alternate processing site       NEMIS according to DHS 4300A.\n         as required systems such as NEMIS that are                 \xef\xbf\xbd   Until an alternate processing site is established,\n         categorized as \xe2\x80\x9chigh impact\xe2\x80\x9d for availability has not          develop and submit an exception for approval in\n         been requested by FEMA.                                        accordance with DHS policy, and ensure that\n                                                                        compensating controls over the alternate\n                                                                        processing site have been implemented and are\n                                                                        effective, and documentation of their effectiveness\n                                                                        is maintained as auditable records.\nFEMA-    The FEMA domain security policy is configured to           \xef\xbf\xbd   Configure the FEMA LAN domain security policy                    X      2\nIT-10-   enforce activation of a password-protected screensaver         to automatically activate a password-protected\n  03     on end-user workstations after 15 minutes of inactivity,\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 62\n\x0c                                                                                                                                         Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                              New     Repeat Risk\n                               Condition                                              Recommendation\n#No                                                                                                                              Issue    Issue Rating\n         rather than the five minute inactivity threshold required       screensaver on end-user workstations after five\n         by DHS policy.                                                  minutes of inactivity, consistent with DHS policy.\n                                                                     \xef\xbf\xbd   Implement appropriate management controls to\n                                                                         ensure timely communication and implementation\n                                                                         of existing and future DHS information security\n                                                                         policy requirements pertaining to the configuration\n                                                                         of FEMA end user workstations, and to\n                                                                         periodically assess system controls to determine\n                                                                         compliance.\nFEMA-    As noted during our FY 2009 audit procedures,               \xef\xbf\xbd   Revise the SOP, Monitoring Sensitive Access to                    X      3\nIT-10-   weaknesses exist in processes related to logging,               NEMIS, to ensure that it states that the scope of the\n  04     monitoring, and retaining audit logs on system                  procedures includes operating systems on all\n         software and operating systems supporting NEMIS.                servers within system boundaries as defined in up-\n         Specifically, policies and procedures related to the            to-date NEMIS system documentation.\n         monitoring of activity on system software and               \xef\xbf\xbd   Acquire and deploy appropriate tools on operating\n         operating systems supporting NEMIS have not been                systems and servers supporting NEMIS to generate\n         revised to include all identified operating systems and         audit trails and records in accordance with FEMA\n         IT components that comprise the system boundary for             and DHS policy.\n         the NEMIS application.\n                                                                     \xef\xbf\xbd   Implement the SOP, Monitoring Sensitive Access\n                                                                         to NEMIS, by reviewing and retaining audit trails\n         Additionally, controls have not been configured and\n                                                                         and records in accordance with FEMA and DHS\n         appropriately implemented to log, monitor, or retain\n                                                                         policy.\n         sufficiently detailed audit logs for activity on NEMIS\n         operating systems and servers.\nFEMA-    As identified during the FY 2009 audit, PARS database       \xef\xbf\xbd   Document and implement a formal process to                        X      3\nIT-10-   security controls are not appropriately established as          implement appropriate controls to ensure that\n  05     noted below:                                                    inactive PARS database accounts are disabled in\n          \xef\xbf\xbd PARS database accounts are not reviewed to                   accordance with DHS policy.\n            identify accounts that have been inactive for 45         \xef\xbf\xbd   Configure PARS database accounts in accordance\n            days or more, as required by DHS policy for high             with DHS and FEMA requirements for passwords\n            impact systems.                                              and authenticator controls, including expiration,\n                                                                         reuse, and complexity.\n         \xef\xbf\xbd   Strong passwords and authenticator controls are         \xef\xbf\xbd   Document      and     implement    system-specific\n             not implemented for PARS database accounts in               processes for generating and performing reviews of\n             accordance with FEMA and DHS policy.                        PARS database audit logs and retaining auditable\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 63\n\x0c                                                                                                                                Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                                                     New     Repeat Risk\n                           Condition                                            Recommendation\n#No                                                                                                                     Issue    Issue Rating\n          Specifically:                                             evidence of review in accordance with FEMA and\n                                                                    DHS policy. Additionally, ensure that all DHS\n          -   A minimum password length is not set;\n                                                                    requirements are met through this process,\n          -   Password complexity is not enforced to require        including appropriate supervisory review and\n              passwords that include a combination of               segregation of duties principles.\n              upper/lowercase letters, numbers, and special     \xef\xbf\xbd   Configure PARS database audit logs to capture and\n              characters or to restrict the use of dictionary       retain auditable events in accordance with FEMA\n              words as passwords;                                   and DHS policy.\n          -   Reuse of previous passwords is not prohibited;    \xef\xbf\xbd   Further define and establish a formal process for\n                                                                    granting initial access and recertifying access\n          -   Passwords are not configured to expire or be          specifically to the PARS database that includes\n              changed after a pre-determined length of time;        appropriate approval from FEMA management and\n              and                                                   requirements for temporary and emergency access,\n          -   Accounts are not configured to disable after a        in accordance with DHS guidance.\n              pre-determined number of consecutive invalid\n              login attempts.                                   Please see NFR FEMA-IT-10-48 for recommendations\n                                                                related to the periodic review and assessment of\n      \xef\xbf\xbd   System-specific policies and procedures have not      security controls in place to ensure that corrective\n          been developed for the PARS Oracle database, and      actions are appropriately implemented over identified\n          existing policies and procedures inherited from the   security weaknesses.\n          IFMIS application operating environment do not\n          adequately describe implementation of FEMA\n          policies for the generation, review, and retention\n          of all required auditable events.\n      \xef\xbf\xbd   Database audit logs are not configured to capture\n          auditable events, including failed login attempts\n          and administrator-level actions, as required by\n          FEMA and DHS policy.\n      \xef\xbf\xbd   Although a periodic recertification of PARS\n          database access accounts is performed to ensure\n          that access is still necessary and appropriate for\n          each individual, policies and procedures over the\n          management of accounts on the PARS Oracle\n          database do not specify requirements for\n          performing a periodic recertification of database\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 64\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                         Issue    Issue Rating\n             accounts to validate the continued appropriateness\n             of access. Additionally, the FY 2010\n             recertification of PARS Oracle database user\n             accounts was not completed consistently and in\n             accordance       with      FEMA         requirements.\n             Specifically, of a selection of recertification forms\n             for five PARS database user accounts requested,\n             four forms recertified access for contractors\n             without documented COTR approval.\n         \xef\xbf\xbd   Authorization of initial access for the PARS\n             database is not consistently completed in\n             accordance with FEMA and DHS policy.\n             Specifically, of a selection of three PARS database\n             access forms requested:\n             -   Two user accounts were granted to contractors\n                 without the required COTR signature.\n             -   One account was identified by Financial\n                 Systems Section (FSS) personnel as an IFMIS\n                 system account. However, no documentation\n                 justifying or authorizing the use of this system\n                 account was provided.\nFEMA-    During the FY 2010 financial statement audit, we noted      We recommend that FEMA configure all NEMIS                       X      3\nIT-10-   that FEMA has made improvements over the                    Oracle databases to ensure compliance with effective\n  06     management of NEMIS Oracle database password                DHS and FEMA policy requirements for passwords\n         controls for IT Operations database administrator           and authenticator control requirements, including\n         accounts, specifically by configuring a 104-day             expiration, reuse, and length and complexity.\n         password lifetime.         However, the following\n         weaknesses noted in FY 2009 continue to exist in FY\n         2010 for the four databases selected for testing:\n         \xef\xbf\xbd   A password complexity verification function is not\n             configured to require a combination of\n             upper/lowercase letters, numbers, and special\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 65\n\x0c                                                                                                                                    Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                              Condition                                            Recommendation\n#No                                                                                                                         Issue    Issue Rating\n             characters.\n         \xef\xbf\xbd   Reuse of previous passwords is not prohibited.\n         \xef\xbf\xbd   No minimum password length is enforced.\nFEMA-    FEMA has made improvements over the management            We recommend that FEMA configure the IFMIS-                        X      3\nIT-10-   of IFMIS-Merged Oracle database passwords by              Merged Oracle database to ensure compliance with\n  07     configuring the system to retain a history of the         effective DHS and FEMA policy requirements\n         previous ten passwords. However, upon inspection of       regarding the reuse of user passwords.\n         additional database password parameters, we\n         determined that the password history for the ten\n         previous passwords is only retained for 30 days.\n         Therefore, after the 30 day timeframe, the password\n         history is erased, allowing the user to potentially use\n         one of the previous ten passwords.\nFEMA-    During the FY 2010 financial statement audit, we          Configure all NEMIS Oracle databases to ensure            X               3\nIT-10-   selected four NEMIS Oracle databases for testing and      compliance with effective DHS and FEMA policy\n  08     noted that each is configured to lock accounts after      requirements for account lockouts due to failed login\n         three consecutive failed login attempts and to remain     attempts.\n         locked for 415 seconds (7.5 minutes) before being\n         unlocked.\nFEMA-    As noted during the FY 2009 audit, the following          \xef\xbf\xbd   Revise the SOP for Handling of Oracle Audit Logs               X      3\nIT-10-   weaknesses over audit logging controls for the NEMIS          to ensure that procedures over requirements for\n  09     Oracle databases continue to exist in FY 2010:                logging and monitoring auditable activities on all\n                                                                       NEMIS databases are documented in accordance\n         \xef\xbf\xbd   The FEMA IT Operations Branch Standard\n                                                                       with DHS and FEMA guidance and the process for\n             Operating Procedure (SOP) for Handling of\n                                                                       audit log review is appropriately implemented for\n             Oracle Audit Logs has not been updated.\n                                                                       all databases within the NEMIS system boundary.\n             Specifically:\n                                                                   \xef\xbf\xbd   Implement database configurations on all NEMIS\n             -   The scope section of the SOP does not list all        databases in accordance with DHS and FEMA\n                 Oracle databases identified that comprise the         policy and procedures over required auditable\n                 NEMIS data processing environment.                    events and activities.\n                                                                   \xef\xbf\xbd   Dedicate the appropriate resources and implement\n             -   The SOP has not been updated to address all\n                                                                       the appropriate automated tools or establish\n                 DHS policy requirements surrounding audit\n                                                                       manual processes to collect, review, and retain\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 66\n\x0c                                                                                                                                     Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                          New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                          Issue    Issue Rating\n                 trails and activity monitoring. Specifically,         auditable activities on all NEMIS databases, to\n                 successful logins, access modifications, highly       ensure compliance with DHS and FEMA policy.\n                 privileged user account activity, and changes\n                 to user profiles are not required to be logged\n                 and reviewed.\n             -   The     SOP      specifies    that    database\n                 administrators will review Oracle audit\n                 records, which is a violation of segregation of\n                 duties principles that require an independent\n                 review of system activity.\n         \xef\xbf\xbd   On the four NEMIS databases selected for testing,\n             configurations are not fully enabled so that a\n             review of audit trails and activity defined by DHS\n             policy    requirements     can     be    completed.\n             Specifically, only failed login attempts are\n             recorded in the audit trails of all database user\n             accounts.\nFEMA-    As noted during the FY 2009 audit, we determined that     \xef\xbf\xbd   Develop, document, fully implement, and                         X      2\nIT-10-   weaknesses over the tracking of FEMA contractors              communicate formal policies and procedures,\n  10     continue to exist in FY 2010. Specifically:                   according to DHS guidelines and requirements, for\n                                                                       centrally tracking all contractors throughout the\n         \xef\xbf\xbd   FEMA does not have a formal process for centrally         on-boarding, termination, and transfer processes.\n             and adequately tracking FEMA contractors                  Ensure policies and procedures include:\n             throughout the on-boarding, termination, and\n                                                                       \xe2\x80\xa2   The assignment of roles and responsibilities to\n             transfer processes. As a result, FEMA could not\n                                                                           appropriate     FEMA      management       and\n             provide a complete listing of all contractors\n                                                                           stakeholders.\n             working for FEMA.\n                                                                       \xef\xbf\xbd   Procedures to ensure that COTRs notify the\n                                                                           FEMA OCIO of changes in contractors\xe2\x80\x99 status,\n         \xef\xbf\xbd   The process established for notifying FEMA\n                                                                           including separation or transfer, so that\n             Office of Chief Information Officer (OCIO)\n                                                                           accounts can be disabled/removed or account\n             management, including IT system administrators,\n                                                                           profiles can be appropriately modified in the\n             of changes in contractor\'s status, so that accounts\n                                                                           required timeframe.\n             can be disabled/removed or account profiles can be\n             appropriately modified in the required timeframe,         \xef\xbf\xbd   Establishment of controls for periodically\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 67\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                           Issue    Issue Rating\n             is not effective or comprehensive. Specifically, no            monitoring the effectiveness of the process to\n             formal requirements exist for Contracting Officer\xe2\x80\x99s            ensure compliance with policy.\n             Technical Representatives (COTRs) to notify the        \xef\xbf\xbd   Regularly distribute a listing of terminated\n             OCIO of separating contractors.                            contractor personnel to information system\n                                                                        administrators so they can remove user access\n                                                                        timely.\nFEMA-    While FEMA has made improvements over the review           \xef\xbf\xbd   Revise and implement policies and procedures that               X      3\nIT-10-   of IFMIS-Merger application activity by documenting            document requirements for configuring, retaining,\n  11     responsibilities for performing periodic reviews of            and reviewing audit trails for the IFMIS-Merger\n         super user account activities, the following weaknesses        application and database, including defined roles\n         noted in FY 2009 continue to exist in FY 2010:                 and responsibilities, in accordance with DHS and\n                                                                        FEMA policy.\n         \xef\xbf\xbd   Existing policies and procedures, including FEMA\n             Interim CFO Directive 2600-21, IFMIS User              \xef\xbf\xbd   Implement configurations on the IFMIS-Merger\n             Access and Termination, and FEMA SOP 2000-                 application and database to ensure that audit logs\n             002, Monitoring of IFMIS Database Audit Log, do            record required auditable events and activities, in\n             not require the generation, review, or retention of        accordance with DHS and FEMA policy.\n             audit logs for all activities required by FEMA and     \xef\xbf\xbd   Implement appropriate management controls to\n             DHS policy.                                                ensure timely communication and implementation\n                                                                        of existing and future DHS information security\n         \xef\xbf\xbd   Failed database (Oracle) and application (UNIX)            policy requirements pertaining to the configuration\n             login attempts and activity performed by                   of audit logs on the IFMIS-Merger application and\n             application users with the \xe2\x80\x9csuper user\xe2\x80\x9d role remain        database, and to periodically assess system\n             the only forms of activity logged and monitored for        controls to determine compliance.\n             IFMIS-Merger. Other types of activity required by\n             FEMA and DHS policy, including successful\n             logins, access modifications, and changes to user\n             profiles, are not logged or monitored.\n         \xef\xbf\xbd   While we noted that logging of users accessing or\n             attempting to access the IFMIS-Merger application\n             is enabled and distributed to appropriate\n             independent reviewers, evidence of review of\n             application login attempts is not documented.\n         Additionally, we noted the following weaknesses\n         related to reviews of activity of super users within the\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 68\n\x0c                                                                                                                                    Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                         Issue    Issue Rating\n         IFMIS-Merger application:\n         \xef\xbf\xbd   Activity of users with elevated privileges is logged\n             and reviewed on a weekly basis. However, FEMA\n             policy requires that audit records be captured and\n             reviewed at least every three days.\n         \xef\xbf\xbd   Review of super user activity is performed by an\n             individual with super user privileges within the\n             application, in conflict with segregation of duties\n             principles.\nFEMA-    The following weaknesses noted in FY 2009 continued        There is no recommended corrective action specific to             X      3\nIT-10-   to exist in FY 2010:                                       this finding because of the decommissioning of G&T\n  12                                                                IFMIS in June 2010. Any G&T IFMIS accounts which\n         \xef\xbf\xbd   G&T IFMIS application user accounts were not           now exist on the IFMIS \xe2\x80\x93 Merged instance will need to\n             consistently approved or authorized prior to initial   be included in recertification efforts that will be\n             account creation or modification of account            performed by FEMA as corrective action to remediate\n             privileges. Of the 25 active application users         NFR FEMA-IT-10-14, which cites a lack of consistent\n             selected for testing, FEMA was unable to provide       recertification of Core/Merged IFMIS accounts, to\n             adequate documented evidence that creation of, or      ensure that all migrated G&T IFMIS accounts are\n             modifications to, account privileges for 22            appropriately authorized.\n             accounts were properly authorized. Specifically:\n             \xef\xbf\xbd   Documentation for 10 accounts did not\n                 evidence that access was authorized by the\n                 Office of the Chief Financial Officer (OCFO).\n             \xef\xbf\xbd   Documentation for 11 accounts indicated that\n                 access was authorized by the OCFO after the\n                 modifications to the account privileges were\n                 performed.\n             \xef\xbf\xbd   Documentation for one account was not\n                 available.\n         \xef\xbf\xbd   G&T IFMIS Oracle database user accounts were\n             not consistently approved or authorized prior to\n             initial account creation. Specifically, of the eight\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 69\n\x0c                                                                                                                                       Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\nNFR                                                                                                                            New     Repeat Risk\n                                Condition                                              Recommendation\n#No                                                                                                                            Issue    Issue Rating\n             active database user accounts selected for testing,\n             FEMA was unable to provide documented\n             evidence that the initial account creation of two\n             accounts in FY 2010 was authorized.\n         While KPMG noted that the planned merger of the\n         G&T IFMIS and Core IFMIS instances occurred in\n         February 2010, and the existing G&T IFMIS Oracle\n         database and application server was decommissioned\n         in June 2010, the weaknesses over the financial data\n         existed for the majority of the fiscal year.\nFEMA-    As noted during the FY 2009 audit, weaknesses in              There is no recommended corrective action specific to             X      3\nIT-10-   G&T IFMIS Oracle database audit logging controls              this finding because of the decommissioning of G&T\n  13     continued to exist in FY 2010. Specifically, Oracle           IFMIS in June 2010.\n         database audit trails were not configured to capture any\n         activity, including failed login attempts or\n         administrator-level actions as required by FEMA and\n         DHS guidance.\n\n         While we noted that the planned merger of the G&T\n         IFMIS and Core IFMIS instances occurred in February\n         2010 and the existing G&T IFMIS Oracle database was\n         decommissioned in June 2010, the weaknesses over the\n         financial data existed for the majority of the fiscal year.\nFEMA-    During the FY 2010 audit procedures, we noted that            \xef\xbf\xbd   Dedicate resources to fully implement FEMA and                X      3\nIT-10-   weaknesses which existed in FY 2009 related to the                DHS requirements for a recertification of all\n  14     recertification of IFMIS application accounts continue            IFMIS-Merger application accounts at least\n         to exist. Specifically, although the Core IFMIS                   annually, including revoking access for any\n         application user accounts were recertified in January             accounts not currently in compliance with the\n         2010 prior to the merge of the G&T and Core IFMIS                 annual recertification.\n         applications, we determined that the recertification of       \xef\xbf\xbd   Identify and implement appropriate monitoring\n         the Core IFMIS accounts was not properly completed.               controls to ensure continued compliance with\n         Of the 25 active application accounts selected, FEMA              recertification requirements for the IFMIS-Merger\n         was unable to provide documented evidence that three              application.\n         of the accounts were recertified by the system owner to\n\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 70\n\x0c                                                                                                                                     Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                          New     Repeat Risk\n                               Condition                                            Recommendation\n#No                                                                                                                          Issue    Issue Rating\n         validate the continued appropriateness of the account,\n         as required by FEMA and DHS policy. Furthermore,\n         these accounts then remained on the IFMIS-Merger\n         application after the merger of the applications\n         occurred.\nFEMA-    During the FY 2010 audit, we noted that the                There is no recommended corrective action specific to              X      3\nIT-10-   weaknesses over the recertification of G&T IFMIS           this finding because of the decommissioning of G&T\n  15     application and Oracle database users noted in FY          IFMIS in June 2010. Any G&T IFMIS accounts\n         2009 continued to exist. Specifically, a management        which now exist on the IFMIS \xe2\x80\x93 Merged instance will\n         review to validate the appropriateness of G&T IFMIS        be included in recertification efforts that need to be\n         application and Oracle database user accounts was not      performed by FEMA as corrective action to remediate\n         formally implemented or performed by the Office of         NFR FEMA-IT-10-14, which cites a lack of consistent\n         the Chief Financial Officer/Financial System Section       recertification of Core/Merged IFMIS accounts.\n         (OCFO-FSS) this fiscal year. We noted that the\n         planned merger of the G&T IFMIS and Core IFMIS\n         instances occurred in February 2010, and the existing\n         G&T IFMIS Oracle database and application server\n         was decommissioned in June 2010. However, prior to\n         the migration of G&T accounts to the IFMIS \xe2\x80\x93 Merged\n         instance in February 2010, a recertification of G&T\n         IFMIS application users did not occur. Therefore, the\n         weaknesses over the recertification of users with access\n         to G&T IFMIS financial data existed for the first two\n         quarters of the fiscal year.\nFEMA-    The merger of Core IFMIS and G&T IFMIS was                 There is no recommended corrective action specific to              X      2\nIT-10-   performed in February 2010, and the G&T IFMIS              this finding because of the decommissioning of G&T\n  16     application and database server were formally              IFMIS in June 2010.\n         decommissioned in June 2010. While an ATO was\n         granted for the IFMIS-Merger system by the FEMA\n         Chief Information Officer on June 4, 2010, prior to the\n         completion of the merged instance, a C&A had not\n         been performed over the G&T IFMIS instance.\n         Consequently, as noted during the prior year FY 2009\n         audit, G&T IFMIS operated without an ATO prior to\n         its decommissioning. In addition, we determined that\n         during the time the system was operational, neither an\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 71\n\x0c                                                                                                                                       Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                            New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                            Issue    Issue Rating\n         Information System Security Officer (ISSO) nor a\n         Designated Authorizing Authority (DAA) had been\n         formally designated by FEMA management for G&T\n         IFMIS.\nFEMA-    During the FY 2010 integrated audit, we noted the           \xef\xbf\xbd   Develop and implement policies and procedures          X               2\nIT-10-   following weaknesses regarding specialized training             requiring initial and periodic specialized training\n  17     for FEMA employees and contractors with significant             for individuals with significant information\n         information security responsibilities:                          security responsibilities.\n         \xef\xbf\xbd   FEMA has not formally documented or                     \xef\xbf\xbd   Formally identify specific roles and positions\n             implemented policies and procedures to meet the             possessing significant information security\n             requirements over specialized training for FEMA             responsibilities that are subject to specialized\n             employees and contractors with significant                  training requirements.\n             information security responsibilities in accordance     \xef\xbf\xbd   Develop and implement a mechanism for tracking\n             with DHS policy.                                            and monitoring compliance with specialized\n                                                                         training requirements for individuals with\n         \xef\xbf\xbd   With the exception of ISSOs, FEMA has not                   significant information security responsibilities.\n             formally identified all individuals or positions with\n             significant information security responsibilities\n             subject to specialized training requirements.\n         \xef\xbf\xbd   FEMA does not track or monitor completion of\n             specialized training for FEMA personnel with\n             critical IT roles.\nFEMA-    In FY 2010, we noted that the NEMIS SSP was                 \xef\xbf\xbd   Fully identify all hardware and software                        X      2\nIT-10-   updated in November 2009. However, we determined                components of the NEMIS platform and update\n  18     that the following weaknesses continue to exist:                appropriate NEMIS system documentation,\n                                                                         including the SSP, to reflect the current operating\n         \xef\xbf\xbd   NEMIS         system     boundaries,  including\n                                                                         environment as required by DHS policy and NIST\n             identification of all hardware and software\n                                                                         guidance.\n             elements that comprise the NEMIS general support\n             system and subsystems, have not been fully              \xef\xbf\xbd   Establish and implement a formal process for\n             defined.                                                    periodically reviewing and assessing system\n                                                                         documentation to ensure that system boundaries\n         \xef\xbf\xbd   FEMA has not documented the assignment of\n                                                                         and hardware and software components are\n             FEMA personnel with security responsibilities for\n                                                                         accurately reflected.\n             the modules and major applications that are\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 72\n\x0c                                                                                                                                       Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                            New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                            Issue    Issue Rating\n             classified as NEMIS subsystems within the current       \xef\xbf\xbd   Formally assign and document security\n             NEMIS SSP.                                                  responsibilities of FEMA personnel for all\n                                                                         components of NEMIS, including all identified\n                                                                         modules and major applications.\n\nFEMA-    During the FY 2010 integrated audit, we noted the           \xef\xbf\xbd   Formally establish roles and responsibilities          X               3\nIT-10-   following    weaknesses    regarding    configuration           related to oversight and implementation of\n  19     management over network devices such as firewalls,              configuration management policies and procedures\n         routers, and switches that support in-scope financial           for network devices, including firewalls and\n         systems:                                                        routers, supporting financial applications in\n                                                                         accordance with DHS and FEMA requirements.\n         \xef\xbf\xbd   Comprehensive configuration baselines identifying\n             all relevant configuration items (CIs) within the       \xef\xbf\xbd   Revise and implement configuration management\n             scope of IFMIS and NEMIS have not been                      policies and procedures over documenting and\n             documented.                                                 maintaining current baseline configurations for\n                                                                         network devices supporting financial applications,\n                                                                         including IFMIS and NEMIS, to ensure DHS and\n         \xef\xbf\xbd   FEMA configuration management (CM) policies                 FEMA requirements are adequately addressed and\n             and procedures require the implementation of                configuration baselines are comprehensively\n             Configuration Status Accounting (CSA), which                documented by FEMA. Additionally, policies and\n             includes recording approved configuration\n                                                                         procedures should include guidance over\n             documentation, performing Configuration Audit               requirements such as documentation of baselines,\n             (CA), and documenting physical configuration                periodic review and auditing, and approval of\n             audits to assess conformance with established\n                                                                         baseline changes for network devices.\n             baselines. However, requirements for the\n             frequency, documentation, and retention of results      \xef\xbf\xbd   Perform required configuration management\n             of these activities have not been defined in existing       activities, including periodic Configuration Status\n             FEMA policies or procedures. Additionally, the              Accounting and Configuration Audit activities, for\n             required CSA reports and CAs have not been                  network devices supporting financial applications,\n             performed for IFMIS or NEMIS.                               including IFMIS and NEMIS, and retain auditable\n                                                                         evidence of these activities as required by FEMA\n                                                                         policy.\nFEMA-    Conditions noted in FY 2009 related to weaknesses           \xef\xbf\xbd   Update the NEMIS IT Contingency Plan in                         X      2\nIT-10-   over the documentation and testing of the NEMIS                 accordance with DHS and NIST requirements for\n  20     contingency plan continue to exist in FY 2010, as               systems categorized at the high impact availability\n         follows:                                                        objective. Additionally, ensure that the\n                                                                         Contingency Plan comprehensively addresses the\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 73\n\x0c                                                                                                                                       Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                            New     Repeat Risk\n                              Condition                                            Recommendation\n#No                                                                                                                            Issue    Issue Rating\n         \xef\xbf\xbd   The NEMIS IT Contingency Plan does not                   numerous sub-systems within NEMIS so that\n             adequately     and    comprehensively   include          detailed information exists over the current system\n             information required by DHS policy for systems           architecture, critical processing priorities, detailed\n             with high impact availability. For example, we           recovery procedures and other required\n             noted the following weaknesses:                          components in accordance with DHS guidance.\n                                                                  \xef\xbf\xbd   Conduct and document annual tests of the NEMIS\n             \xef\xbf\xbd   Detailed information over NEMIS system               Contingency Plan that address all critical phases of\n                 architecture, such as the database and server        the plan, and update the Contingency Plan with\n                 names, as well as information over the various       lessons learned, as necessary and in accordance\n                 modules of NEMIS, has not been appropriately         with DHS and NIST requirements.\n                 documented to reflect the current operating\n                 environment.\n             \xef\xbf\xbd   The plan does not sufficiently include details\n                 necessary to fully restore NEMIS and\n                 dependent subsystems in the event of an\n                 emergency.\n             \xef\xbf\xbd   The contingency plan does not specify critical\n                 roles, system resources, or system/application\n                 recovery priorities in sufficient detail to\n                 distinguish between the various modules\n                 within NEMIS.\n             \xef\xbf\xbd   The Business Impact Analysis (BIA) included\n                 in the Contingency Plan was completed in\n                 2004 and is not adequately documented.\n         \xef\xbf\xbd   Testing of the NEMIS IT contingency plan has not\n             been performed in the past 12 months in\n             accordance with DHS policy.\nFEMA-    We performed a comparison of active IFMIS-Merger,        \xef\xbf\xbd   Identify the root cause(s) associated with separated               X      3\nIT-10-   G&T IFMIS, and NEMIS Access Control System                   employees remaining on FEMA information\n  21     (NACS) accounts, as well as individuals with Virtual         systems.       As appropriate, revise existing\n         Private Network (VPN) remote access privileges,              procedures or develop additional procedures over\n         against a list of FEMA employees that had separated          removal of separated user access to IT systems to\n         from employment since October 1, 2009 to determine           address weaknesses that contribute to untimely\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 74\n\x0c                                                                                                                                    Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                              Condition                                            Recommendation\n#No                                                                                                                         Issue    Issue Rating\n         if any separated employees retained active accounts on        removal of separated individuals from the systems.\n         the applications or remote access to the FEMA             \xef\xbf\xbd   Ensure that procedures are implemented\n         network. The following weaknesses were identified:            consistently to remove system and application\n                                                                       accounts for all separated users immediately upon\n         \xef\xbf\xbd   11 IFMIS-Merger user accounts remained active\n                                                                       notification of separation, in accordance with\n             and unlocked after the account holder\xe2\x80\x99s separation\n                                                                       FEMA, DHS and NIST guidance.\n             from FEMA.\n         \xef\xbf\xbd   3 G&T IFMIS user accounts remained active and          No corrective action specific to the portion of this\n             unlocked after the account holder\xe2\x80\x99s separation        finding related to G&T IFMIS will be provided\n             from FEMA.                                            because of the decommissioning of that system in June\n         \xef\xbf\xbd   164 NACS accounts with NEMIS positions                2010.\n             assigned at the time of our test work remained\n             active and unlocked after the account holder\xe2\x80\x99s\n             separation from FEMA.\n         \xef\xbf\xbd   33 individuals retained the ability to access the\n             FEMA network remotely due to active VPN\n             remote access privileges after the account holder\xe2\x80\x99s\n             separation from FEMA. All 33 individuals\n             additionally retained an active NACS account as\n             described above, thus allowing them to potentially\n             access NEMIS as well.\nFEMA-    In FY 2010, we noted that the following conditions        Configure the FEMA LAN to ensure compliance with                   X      3\nIT-10-   identified in FY 2009 related to FEMA LAN accounts        DHS and FEMA policy requirements for passwords\n  22     continue to exist:                                        and authenticator control requirements, including\n                                                                   expiration, reuse, and length and complexity.\n         \xef\xbf\xbd   The FEMA LAN domain security policy does not\n             enforce password requirements in accordance with      Identify and implement appropriate monitoring\n             DHS policy. Specifically:                             controls to ensure that all accounts on the FEMA LAN\n                                                                   are in compliance with DHS requirements for\n             \xef\xbf\xbd   The FEMA LAN does not enforce a password\n                                                                   authorization. Additionally, ensure that where\n                 history or prevent reuse of passwords.\n                                                                   appropriate policies and procedures are further\n             \xef\xbf\xbd   The FEMA LAN does not enforce complexity          developed and/or revised to ensure consistent\n                 requirements, including password length or the    implementation and include requirements for all\n                 use of mixed-case alphanumeric and special        accounts on the FEMA LAN, including generic, shared\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 75\n\x0c                                                                                                                                      Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                           Issue    Issue Rating\n              characters, to ensure that strong passwords are      group, service, and LAN end-user accounts not\n              used.                                                included in the NACS.\n      \xef\xbf\xbd   FEMA was unable to provide evidence of account           Develop and implement a formal process for\n          authorization for 10 Active Directory (AD)               performing a periodic recertification of all FEMA LAN\n          individual user accounts created in FY 2010.             accounts which defines requirements and addresses\n                                                                   accounts not included during the planned\n      \xef\xbf\xbd   While policies and procedures over the                   recertification of NEMIS application access.\n          authorization of generic, shared group, and service\n                                                                   Evaluate and, if appropriate, revise existing procedures\n          accounts on the FEMA LAN have been finalized,\n                                                                   over removal of separated user access to the FEMA\n          approval of these accounts is not consistently\n                                                                   LAN to ensure the timely removal of separated\n          documented according to policy. Specifically, of a\n                                                                   individuals from the network.\n          selection of 45 generic, group, and service LAN\n          accounts created during FY 2010:                         Ensure that procedures are implemented consistently to\n                                                                   remove FEMA LAN accounts for all separated users\n          \xef\xbf\xbd   2 did not have a clearly defined business need\n                                                                   immediately upon notification of separation, in\n              or justification documented;\n                                                                   accordance with FEMA, DHS and NIST guidance.\n          \xef\xbf\xbd   26 did not have IT Security or system owner\n              approval documented;\n          \xef\xbf\xbd   19 were created          prior    to   supervisory\n              certification; and\n          \xef\xbf\xbd   2 did not have any authorizing documentation\n              provided for our review.\n      \xef\xbf\xbd   FEMA has          not established procedures and\n          implemented        a process over the periodic\n          recertification   of FEMA LAN accounts to ensure\n          that access is    still necessary and appropriate for\n          each account      as required by FEMA and DHS\n          policy.\n      \xef\xbf\xbd   We compared a listing of active FEMA LAN/AD\n          accounts against a list of FEMA employee\n          separations that had occurred since October 1,\n          2009 and determined that 85 accounts remained\n          active and unlocked after the account holder\xe2\x80\x99s\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 76\n\x0c                                                                                                                                        Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                             New     Repeat Risk\n                               Condition                                              Recommendation\n#No                                                                                                                             Issue    Issue Rating\n             separation from FEMA.\nFEMA-    In FY 2010, we determined that while change                 We recommend that FEMA OCIO and NFIP                                 X      2\nIT-10-   management procedures have been developed and               management finalize and implement comprehensive\n  23     implemented for applications hosted by the NFIP LAN,        patch management policies and procedures for the\n         including Traverse, the documented procedures do not        NFIP LAN supporting Traverse, in accordance with\n         specifically address patch management policies and          DHS policy.        Additionally, FEMA and NFIP\n         procedures for the NFIP LAN in accordance with DHS          management should ensure that these procedures\n         requirements. Specifically, controls over the approval,     include requirements for authorizing, testing, and\n         testing, and deployment of operating system patches         approving patches to be implemented into production\n         are not addressed.                                          and responding to DHS Security Operations Center and\n                                                                     DHS EOC notifications to ensure compliance with the\n                                                                     timely implementation of required patches.\nFEMA-    During FY 2010, we noted that weaknesses over the           We recommend that NFIP continue to work with the                     X      2\nIT-10-   Certification and Accreditation (C&A) of NFIP               FEMA OCIO to complete the recertification and\n  24     continue to exist. Specifically,                            accreditation of the NFIP Legacy Services System\n                                                                     (LSS), including documentation of all required artifacts\n         \xef\xbf\xbd   FEMA approved Conditional ATOs for the                  in accordance with applicable DHS policies and\n             NFIP/LSS on May 22, 2009 and August 20, 2010            Federal guidance.\n             for two one-year periods. However, we noted that\n             in the absence of a full ATO, DHS policy allows\n             \xe2\x80\x9cinterim\xe2\x80\x9d ATOs only for systems that are either\n             under development testing or in the prototype\n             phase of development, not operational systems\n             such as the NFIP/LSS. Additionally, \xe2\x80\x9cinterim\xe2\x80\x9d\n             ATOs cannot exceed two consecutive six-month\n             periods.\n         \xef\xbf\xbd   During the initial Conditional ATO period that\n             began on May 22, 2009, FEMA did not complete\n             C&A efforts, including the risk assessment and\n             security testing and evaluation (ST&E) needed to\n             fully assess risk associated with the system, so that\n             a full ATO could be issued. Consequently, from\n             May 2010, when the initial Conditional ATO\n             expired, through August 2010 when the second\n             Conditional ATO was approved, the system\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 77\n\x0c                                                                                                                                         Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                              New     Repeat Risk\n                               Condition                                              Recommendation\n#No                                                                                                                              Issue    Issue Rating\n             operated without any authorization.\n         \xef\xbf\xbd   During our integrated audit fieldwork period, NFIP\n             was unable to provide us with evidence that C&A\n             activities required to be performed for a full ATO\n             to be granted had been completed.\nFEMA-    During the FY 2010 FEMA Integrated Audit, we noted          \xef\xbf\xbd   Revise and implement current policies and                         X      3\nIT-10-   that the following conditions related to management of          procedures for documenting, reviewing, and\n  25     FEMA VPN accounts continue to exist:                            approving all remote access accounts to the FEMA\n                                                                         LAN including VPN and iPass access.\n         \xef\xbf\xbd   The VPN Rules of Behavior for Users Behind\n                                                                         Specifically, roles and responsibilities should be\n             Corporate Firewalls, dated December 5, 2002,\n                                                                         defined to ensure that sufficient resources are\n             requires individual\xe2\x80\x99s manager approval and\n                                                                         dedicated to appropriately authorize accounts on\n             Enterprise Service Desk (ESD) validation of all\n                                                                         behalf of the system owner or a designee prior to\n             VPN Access Request forms prior to granting\n                                                                         granting remote access, according to FEMA and\n             access. However, approval by the system owner or\n                                                                         DHS policy.\n             a designated representative is not required.\n                                                                     \xef\xbf\xbd   Develop and implement policies and procedures to\n         \xef\xbf\xbd   VPN Access Request forms include an approval                perform a periodic recertification of all remote user\n             block titled \xe2\x80\x9cFor FEMA OCS Use Only,\xe2\x80\x9d and the               access and retain auditable records as evidence that\n             form states that all VPN requests must be approved          recertifications are conducted and completed in\n             by the FEMA Office of Cyber Security (OCS).                 accordance with DHS and FEMA policy.\n             However, OCS does not currently exist as a FEMA\n             Division due to FEMA\xe2\x80\x99s reorganization.\n             Consequently, existing policies and procedures do\n             not reflect the current security management\n             structure at FEMA nor do they assign\n             responsibility to a current entity within the agency.\n         \xef\xbf\xbd   A periodic recertification of FEMA VPN access\n             accounts is not currently performed to ensure that\n             remote access is still necessary and appropriate for\n             each individual.\n         \xef\xbf\xbd   Of the selection of 45 VPN Access Request forms\n             reviewed:\n             \xef\xbf\xbd   Two did not specify the date that access was\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 78\n\x0c                                                                                                              Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                                   New     Repeat Risk\n                           Condition                                   Recommendation\n#No                                                                                                   Issue    Issue Rating\n              approved by the requestor\xe2\x80\x99s supervisor.\n          \xef\xbf\xbd   Three were granted supervisory approval after\n              VPN access was established for the user.\n          \xef\xbf\xbd   The section of each form that required \xe2\x80\x9cOCS\xe2\x80\x9d\n              level review and approval was not completed.\n      Additionally, we conducted further testwork over\n      remote access granted through the iPass utility, which\n      is used to provide dial-up access to the FEMA network\n      via the VPN gateway. This access is managed through\n      a separate access authorization process from VPN.\n      During our testwork, we noted the following new\n      conditions in FY 2010 related to management of access\n      to iPass:\n      \xef\xbf\xbd   While iPass User Agreement forms require Section\n          Chief (or equivalent) approval and IT certification\n          for iPass remote access, requests are not approved\n          by the system owner or a designated\n          representative, as required by DHS policy.\n          Additionally, policies and procedures do not exist\n          related to the granting and management of users of\n          the iPass remote dial-up utility.\n      \xef\xbf\xbd   Of the selection of 45 iPass User Agreement forms\n          reviewed:\n          \xef\xbf\xbd   Three did not specify the date that access was\n              approved by the requestor\xe2\x80\x99s section chief (or\n              equivalent).\n          \xef\xbf\xbd   One was granted supervisory approval after\n              VPN access was established for the user.\n          \xef\xbf\xbd   One was granted supervisory approval by the\n              same individual that the requested VPN\n              account was for, indicating a violation of\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 79\n\x0c                                                                                                                                    Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                         Issue    Issue Rating\n                 segregation of duties in the management\n                 review and approval of information system\n                 access.\nFEMA-    The following weaknesses noted in FY 2009 continue         \xef\xbf\xbd   Identify and implement appropriate monitoring                 X      3\nIT-10-   to exist in FY 2010:                                           controls to ensure compliance with initial\n  26                                                                    authorization and modification requirements for\n         \xef\xbf\xbd   IFMIS-Merger application user accounts were not\n                                                                        accounts on the IFMIS-Merger application.\n             properly approved or authorized. Specifically, of\n             the 25 active application users selected for review,   \xef\xbf\xbd   Document policies and procedures over the\n             FEMA was unable to provide documented                      periodic recertification of all accounts on the\n             evidence that initial account creation or the most         IFMIS-Merger database.\n             recent modifications to account privileges for 6       \xef\xbf\xbd   Dedicate resources to fully implement FEMA and\n             accounts were authorized.                                  DHS requirements for a recertification of all\n                                                                        IFMIS-Merger database accounts at least annually,\n         \xef\xbf\xbd   Policies and procedures over the management of             including revoking access for any accounts not\n             accounts on the IFMIS-Merger Oracle database do            currently in compliance with the annual\n             not specify requirements for performing a periodic         recertification.\n             recertification of database accounts to validate the   \xef\xbf\xbd   Identify and implement appropriate monitoring\n             continued appropriateness of access.                       controls to ensure compliance with initial\n         \xef\xbf\xbd   IFMIS-Merger Oracle database user accounts were            authorization,    modification,   and    periodic\n             not properly approved or authorized. Specifically,         recertification requirements for accounts on the\n             of the eight active database users selected for            IFMIS-Merger database.\n             review, approval for six user accounts was not\n             documented prior to creation of the accounts.\n             Approval was not documented for these accounts\n             until after the audit request for documentation was\n             received.\n         \xef\xbf\xbd   The FY 2010 recertification of IFMIS-Merger\n             Oracle database user accounts was neither\n             completed consistently nor in accordance with\n             FEMA policy. Specifically, we requested a\n             selection of recertification forms for 8 IFMIS-\n             Merger database user accounts and determined that\n             3 were granted to contractors, but COTR approval\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 80\n\x0c                                                                                                                                   Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                        New     Repeat Risk\n                              Condition                                            Recommendation\n#No                                                                                                                        Issue    Issue Rating\n             was not documented.\nFEMA-    As noted during the FY 2009 audit, the following          There is no recommended corrective action specific to             X      3\nIT-10-   weaknesses in G&T IFMIS Oracle database user              this finding because of the decommissioning of G&T\n  27     account password controls continued to exist in FY        IFMIS in June 2010.\n         2010:\n         \xef\xbf\xbd   We determined that FEMA performed manual\n             reviews of inactive G&T IFMIS database accounts\n             on a monthly basis to disable accounts which had\n             not been used in the prior 90 days. However, since\n             G&T IFMIS is categorized as a high impact\n             system, reviews are required to disable accounts\n             that have been inactive for 45 days, according to\n             DHS policy.\n         \xef\xbf\xbd   The G&T IFMIS database account security policy\n             did not enforce password requirements in\n             accordance with DHS policy. Specifically:\n             \xef\xbf\xbd   The database did not enforce a password\n                 history or prevent reuse of passwords.\n             \xef\xbf\xbd   The database did not enforce complexity\n                 requirements, including definition of a\n                 password verification function to ensure strong\n                 passwords are used. Specifically, password\n                 length and requirements over the use of mixed-\n                 case, alphanumeric and special characters to\n                 enforce restrictions over the use of dictionary\n                 words, are not defined.\n             \xef\xbf\xbd   The database did not enforce password\n                 expiration after a predetermined length of\n                 time.\n         \xef\xbf\xbd   FEMA had not established a formal process for\n             approving emergency and temporary access to the\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 81\n\x0c                                                                                                                                   Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                        New     Repeat Risk\n                              Condition                                           Recommendation\n#No                                                                                                                        Issue    Issue Rating\n             G&T IFMIS database that is compliant with DHS\n             requirements. Specifically, emergency and\n             temporary access to the database for individuals\n             with elevated privileges, including access for\n             contractor development personnel, is approved by\n             the Financial Systems Section (FSS) Chief and/or\n             his/her staff, not by the FEMA CISO or a designee,\n             as required by DHS policy. Additionally, a formal\n             process specifically addressing procedures for the\n             granting of temporary access to the database and\n             ensuring that access is removed in a timely manner\n             was not documented within existing IFMIS access\n             control policies and procedures. Furthermore, we\n             determined that through this process the G&T\n             IFMIS Oracle database access was granted to\n             contracted development personnel in order to\n             implement database changes to G&T IFMIS,\n             which continues to conflict with segregation of\n             duties principles.\n         While we noted that the merger of the G&T IFMIS and\n         Core IFMIS instances occurred in February 2010 and\n         the existing G&T IFMIS Oracle database was\n         decommissioned in June 2010, the weaknesses noted\n         existed for the majority of the fiscal year.\nFEMA-    Weaknesses noted in FY 2009 over C&A of the FEMA         \xef\xbf\xbd   Continue to fully identify and decouple all                    X      3\nIT-10-   LAN and subsystems that host in-scope financial              components of the FSN-2 platform, including\n  28     applications continue to exist in FY 2010. During our        regional LANs and General Support Systems,\n         FY 2010 audit, we noted that FEMA has classified             which host or support IFMIS and NEMIS, and\n         regional LANs as subsystems and included them within         perform all required Certification & Accreditation\n         the defined system boundary of the FEMA Switched             activities over each component as required by\n         Network (FSN)-2. We noted the following weaknesses           DHS policy and NIST guidance.\n         in the C&A of the FSN-2 General Support System           \xef\xbf\xbd   Formally assign and document security\n         (GSS) that includes the FEMA LANs:                           responsibilities for all components of the FSN-2\n         \xef\xbf\xbd   The FSN-2 GSS C&A was not completed in                   platform, including regional LANs and General\n                                                                      Support Systems, which host or support IFMIS\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 82\n\x0c                                                                                                              Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                                   New     Repeat Risk\n                           Condition                                         Recommendation\n#No                                                                                                   Issue    Issue Rating\n          compliance with DHS and NIST requirements and         and NEMIS.\n          has not been updated to accurately reflect the\n          current GSS environment. Specifically:\n          \xef\xbf\xbd   The authorizing officials and individuals noted\n              as responsible for the security roles for\n              multiple regional LANs and subsystems are\n              not accurately reflected in the SSP included in\n              the C&A package as employees with specified\n              roles no longer work for FEMA in the capacity\n              noted.\n          \xef\xbf\xbd   While the Maryland National Processing\n              Service Center is identified as a subsystem in\n              the overarching FSN-2 GSS C&A package\n              SSP, C&A activities have not been performed\n              over this subsystem.\n          \xef\xbf\xbd   DHS policy requires annual testing of IT\n              contingency plans for information systems\n              with a high impact availability categorization,\n              such as the FSN-2 GSS. However, the most\n              recent test of the FSN-2 IT contingency plan\n              was performed and documented during FY\n              2008.\n          \xef\xbf\xbd   DHS policy requires that risk assessments be\n              conducted for information systems no less\n              frequently than every three years. However,\n              the most recent ST&E was documented during\n              FY 2006.\n      \xef\xbf\xbd   The most recent ATO granted by the FEMA CIO\n          expired on January 22, 2010, and the FSN-2 GSS\n          is currently operating without authorization from\n          FEMA management.\n      \xef\xbf\xbd   Although the C&A package references various\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 83\n\x0c                                                                                                                                 Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                      New     Repeat Risk\n                              Condition                                           Recommendation\n#No                                                                                                                      Issue    Issue Rating\n             subsystems supporting and hosting IFMIS and\n             NEMIS, FEMA management was unable to\n             identify and confirm the FSN-2 subsystems\n             (including regional LANs) that host the production\n             servers for NEMIS and IFMIS applications.\n             Consequently, we were unable to test the hosting\n             environment supporting financial applications in-\n             scope for the FY 2010 environment.\nFEMA-    During the FY 2009 FEMA Integrated Audit, we noted       \xef\xbf\xbd   Formally designate an ISSO for the PARS web                  X      3\nIT-10-   that a C&A of PARS had not been performed and the            server and application environment.\n  29     system had not received an ATO since becoming            \xef\xbf\xbd   Certify and accredit the PARS web server and\n         operational in the FEMA environment.        While            application environment, including documentation\n         improvements were noted in this condition for FY             of all required artifacts in accordance with\n         2010, we determined that the following C&A                   applicable DHS policies and Federal guidance.\n         weaknesses over PARS continue to exist:\n         In FY 2010, the PARS database was included within\n         the accreditation boundary for the IFMIS-Merger\n         system, which was granted an ATO in June 2010.\n         However, prior to that date, the PARS database was not\n         certified and accredited and consequently, operated\n         without an ATO for the majority of FY 2010.\n         \xef\xbf\xbd   All other system components of PARS, including\n             the web and application servers, continued to\n             operate without an ATO, and evidence that C&A\n             efforts for these components of PARS were\n             completed and approved by FEMA management\n             could not be obtained from FEMA for review\n             during the FY 2010 audit.\n         \xef\xbf\xbd   At the time of our test procedures, an ISSO had\n             not been formally designated by FEMA\n             management for the PARS web server and\n             application. While we were informed by FEMA IT\n             Security Management that the PARS database was\n             administered by an ISSO under the Core IFMIS,\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 84\n\x0c                                                                                                                                    Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                         Issue    Issue Rating\n             we determined that no formal designation of this\n             responsibility was assigned until FY 2010 because\n             the PARS database was not included in the C&A\n             boundary for Core IFMIS and no additional\n             designation letters were issued. As a result, the\n             PARS database did not have a formal designation\n             of security responsibilities for the majority of the\n             fiscal year.\nFEMA-    As noted during the FY 2009 audit related to Core          We recommend that FEMA document and implement a                   X      3\nIT-10-   IFMIS, we determined that weaknesses over the              formal process for granting emergency and temporary\n  30     authorization of emergency and temporary access to         access to the IFMIS-Merger database that includes\n         the IFMIS \xe2\x80\x93 Merger Oracle database continue to exist       guidance over all types of accounts authorized for\n         in FY 2010. Specifically, FEMA has not established a       temporary and emergency access, segregation of duties\n         formal process for approving emergency and                 considerations, and appropriate approval from FEMA\n         temporary access to the IFMIS-Merger database that is      management in accordance with DHS policy.\n         compliant with DHS requirements. During our FY\n         2010 testing, we determined that emergency and\n         temporary access to the database for individuals with\n         elevated privileges, including access for contractor\n         development personnel, is approved by the Financial\n         Systems Section (FSS) Chief and/or his/her staff, not\n         by the FEMA CISO or a designee, as required by DHS\n         policy. Additionally, a formal process specifically\n         addressing procedures for the granting of temporary\n         access to the database and ensuring that access is\n         removed in a timely manner has not been documented\n         within existing IFMIS-Merger access control policies\n         and procedures.\n\n         Furthermore, we determined that through this process\n         the IFMIS-Merger Oracle database access is granted to\n         contracted development personnel in order to\n         implement database changes to IFMIS-Merger, which\n         continues to conflict with segregation of duties\n         principles.\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 85\n\x0c                                                                                                                                          Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\nNFR                                                                                                                               New     Repeat Risk\n                               Condition                                               Recommendation\n#No                                                                                                                               Issue    Issue Rating\nFEMA-    During our unannounced enhanced security testing             We recommend that FEMA formally approve and                           X      3\nIT-10-   performed during the FY 2010 integrated audit, we            implement procedures for managing security incidents.\n  31     noted that the FEMA Security Operation Center (SOC)          Specifically, procedures should clearly outline roles\n         proactively tracked and reported incidents related to        and responsibilities required to maintain a continuous\n         social engineering attempts performed at FEMA                incident response capability and define processes\n         headquarters and regional offices through implemented        related to the identification, evaluation, and resolution\n         ad hoc processes. However, weaknesses noted during           of all security incidents, as required by DHS and\n         the FY 2009 integrated audit related to FEMA\xe2\x80\x99s               FEMA policy.\n         incident response program continue to exist in FY\n         2010.\n\n         Specifically, standard operating procedures for the\n         management of FEMA IT security incidents have not\n         been formally approved and implemented by FEMA\n         management. Consequently, FEMA has not\n         implemented DHS policy requirements to establish a\n         documented and formally approved component-level\n         incident response framework or capability, including\n         roles, responsibilities, and processes related to the\n         identification, evaluation, and resolution of all security\n         incidents.\nFEMA-    In FY 2009, we identified weaknesses over FEMA\xe2\x80\x99s             We recommend that FEMA further dedicate resources                     X      3\nIT-10-   patch management program as it relates to Core IFMIS         to document and fully implement comprehensive\n  32     and G&T IFMIS. During the FY 2010 integrated audit,          system-specific patch management procedures to\n         we determined that while FEMA has finalized and              ensure that IFMIS-Merger operating system and\n         formally implemented the FEMA Office of the Chief            database patches are tested and deployed in a timely\n         Information Officer (OCIO) Standard Operating                manner, in accordance with DHS and FEMA policy.\n         Procedure (SOP) for Vulnerability Patch Management,\n         the SOP was not approved until April 8, 2010.                No corrective action specific to the portion of this\n         Consequently, FEMA did not have a formal patch               finding related to G&T IFMIS will be provided\n         management procedure applicable to the IFMIS                 because of the decommissioning of that system in June\n         environments for a majority of the fiscal year. Given        2010.\n         the timing of the SOP\xe2\x80\x99s approval, the patch\n         management procedures could not be implemented\n         when G&T IFMIS was operational as it was merged\n         with Core IFMIS in February 2010.\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 86\n\x0c                                                                                                                                       Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                            New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                            Issue    Issue Rating\n\n         Additionally, we determined that FEMA has not fully\n         and consistently implemented the requirements and\n         procedures documented in the SOP for IFMIS-Merger\n         in accordance with FEMA and DHS guidance.\nFEMA-    Weaknesses noted in FY 2009 over FEMA\xe2\x80\x99s                  \xef\xbf\xbd   Establish and implement documented procedures                      X      2\nIT-10-   information security vulnerability management                that define formal requirements, processes, and\n  33     program as it relates to NEMIS continue to exist in FY       responsibilities      for      performing     periodic\n         2010. Specifically:                                          vulnerability scans of NEMIS production servers.\n                                                                      Additionally, ensure these procedures include\n         \xef\xbf\xbd   FEMA does not have documented and approved\n                                                                      requirements for reporting and tracking resolution\n             procedures that establish formal requirements,\n                                                                      of weaknesses identified during internal NEMIS\n             processes, and responsibilities for performing\n                                                                      vulnerability scans in accordance with DHS\n             regular vulnerability scans of NEMIS.\n                                                                      POA&M guidance.\n         \xef\xbf\xbd   The list of NEMIS servers currently scanned by the   \xef\xbf\xbd Revise listing of NEMIS servers scanned by the\n             SOC is incomplete and does not represent the             FEMA SOC to ensure that vulnerability scans\n             current NEMIS system boundary as defined by              performed include all NEMIS servers within the\n             system owners and IT security management.                current operating environment. Additionally,\n             Additionally, NEMIS system owners are not                develop and implement procedures to ensure that\n             receiving listings of all vulnerabilities noted on       this listing is periodically re-evaluated and updated\n             their system components to ensure corrective             as appropriate.\n             action is tracked and remediated.                    \xef\xbf\xbd Revise the SOC distribution listing of NEMIS\n                                                                      system owners and other appropriate IT security\n         \xef\xbf\xbd   Corrective action over vulnerabilities identified        management to further define personnel\n             through SOC internal scans of NEMIS production           responsible for remediating and formally tracking\n             servers is not formally tracked via the Plan of          all vulnerabilities identified over the various\n             Actions & Milestones (POA&M) process, as\n                                                                      NEMIS components. Additionally, develop and\n             required by DHS policy.                                  implement procedures to ensure that this listing is\n                                                                      periodically re-evaluated and updated as\n                                                                      appropriate.\nFEMA-    Weaknesses noted in FY 2009 over FEMA\xe2\x80\x99s                  We recommend that FEMA establish and implement                         X      3\nIT-10-   information security vulnerability management            documented        procedures      that    define   formal\n  34     program as it relates to G&T IFMIS and IFMIS-            requirements, processes, and responsibilities for\n         Merger continue to exist in FY 2010. Specifically:       performing regular vulnerability scans of IFMIS-\n                                                                  Merger. Additionally, procedures should include\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 87\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                           Issue    Issue Rating\n                                                                   requirements for reporting and tracking resolution of\n         \xef\xbf\xbd   FEMA did not have documented and approved             weaknesses identified during internal IFMIS-Merger\n             procedures that establish formal requirements,        vulnerability scans in accordance with DHS POA&M\n             processes, and responsibilities for performing        guidance.\n             regular vulnerability scans of G&T IFMIS and\n             IFMIS-Merger.                                         No corrective action specific to the portion of this\n         \xef\xbf\xbd   For one of the three months selected for testing,     finding related to G&T IFMIS will be provided\n             vulnerability scans were not performed for the        because of the decommissioning of that system in June\n             G&T IFMIS production server.                          2010.\n\n         \xef\xbf\xbd   For all three months selected for testing,\n             vulnerabilities reported by the FEMA SOC over\n             the G&T IFMIS and IFMIS-Merger production\n             servers were not formally tracked via the POA&M\n             process, as required by DHS policy.\nFEMA-    In FY 2009, we identified weaknesses over FEMA\xe2\x80\x99s          We recommend that FEMA further document and fully                    X      2\nIT-10-   patch management program related to NEMIS. During         implement comprehensive system-specific patch\n  35     the FY 2010 integrated audit, we determined that while    management procedures to ensure that NEMIS\n         FEMA has finalized and formally implemented the           operating system and database patches are tested and\n         FEMA OCIO SOP for Vulnerability Patch                     deployed in a timely manner, in accordance with DHS\n         Management, the SOP was not approved until April 8,       and FEMA policy. Additionally, these policies and\n         2010. Consequently, FEMA did not have a formal            procedures should include formal designation of\n         patch management procedure applicable to the NEMIS        responsibilities for oversight and implementation of\n         environment for a majority of the fiscal year.            required patch management activities for all NEMIS\n         Additionally, we determined that FEMA has not fully       components to ensure compliance at the system level.\n         and consistently implemented the requirements and\n         procedures documented in the SOP for all NEMIS\n         components in accordance with FEMA and DHS\n         guidance.\nFEMA-    Weaknesses identified in FY 2009 related to the testing   \xef\xbf\xbd   Develop and implement backup policies and                        X      3\nIT-10-   of NEMIS production database backup tapes continue            procedures to ensure that all NEMIS components\n  36     to exist in FY 2010. Specifically:                            are backed up and backup media is stored\n                                                                       in/rotated to an off-site facility according to FEMA\n         \xef\xbf\xbd   During two quarters of FY 2010, FEMA conducted\n                                                                       and DHS requirements.\n             restoration tests of backup tapes for one specific\n                                                       \xef\xbf\xbd               Revise or develop policies and procedures to\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 88\n\x0c                                                                                                                                    Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                              Condition                                            Recommendation\n#No                                                                                                                         Issue    Issue Rating\n             NEMIS database while FEMA\xe2\x80\x99s SOP for Tape                 periodically test and document testing of the\n             Backup Testing documents requirements for the            NEMIS backups in compliance with FEMA and\n             testing of 39 databases.         Consequently, we        DHS requirements. In addition, ensure that policies\n             determined that FEMA did not regularly test              and procedures are implemented to perform\n             backup tapes containing all NEMIS production             periodic restoration testing of all NEMIS\n             database data during the fiscal year.                    production databases in accordance with\n                                                                      established requirements.\n         \xef\xbf\xbd   Additionally, while we noted that the Standard\n             Operating Procedure for Tape Backup Testing\n             assigns responsibility for testing backup tapes in\n             accordance with a defined schedule to NEMIS IT\n             security management, administrators, and system\n             owners, the SOP was not updated to reflect the\n             required schedule for performing tape restoration\n             tests.\n         Furthermore, we noted the following new weaknesses\n         related to controls over the performance of NEMIS\n         database backups:\n         \xef\xbf\xbd   FEMA has not formally defined and documented\n             procedures that outline processes for performing\n             backups of NEMIS production databases and for\n             rotating and physically securing backup tapes off-\n             site.\n         \xef\xbf\xbd   FEMA was unable to provide requested\n             documentation to evidence that any of the 39\n             NEMIS production databases identified in the\n             Standard Operating Procedure for Tape Backup\n             Testing are currently being backed up.\nFEMA-    During our social engineering testing, several           We recommend that FEMA management review the               X               3\nIT-10-   personnel provided us with user IDs and/or passwords.    effectiveness of existing security awareness programs\n  37                                                              designed to protect \xe2\x80\x9cneed-to-know\xe2\x80\x9d information,\n         It should be noted that several personnel that we        including IT system access credentials, and ensure that\n         contacted by phone during our social engineering         individuals are adequately instructed and reminded of\n         phone calls challenged our requests for user access      their roles in the protection of sensitive system\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 89\n\x0c                                                                                                                                      Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                           Issue    Issue Rating\n         credentials by looking up our assumed names in the          information from unauthorized individuals through\n         FEMA directory to determine if we were FEMA                 formal, periodic communications and/or security\n         personnel, requesting employee IDs, asking for help         awareness training.\n         desk ticket numbers associated with our calls, and\n         reporting our attempts to supervisors.\n\n         While individuals contacted represented several offices\n         in multiple FEMA regions as well as Headquarters, our\n         selection of individuals was not statistically derived.\n         Therefore, we are unable to project these results to\n         FEMA as a whole.\nFEMA-    During our after-hours physical security testing            We recommend that FEMA management review the                       X      2\nIT-10-   conducted on July 20, 2010, we noted instances of           effectiveness of existing security awareness programs\n  38     improperly protected authentication credentials, system     designed to protect electronic and physical data, PII,\n         information, information technology assets, and PII in      and FOUO agency information and ensure that\n         the facilities inspected.                                   individuals are adequately instructed and reminded of\n                                                                     their roles in the protection of both electronic and\n         Some of the instances of improperly secured PII noted\n                                                                     physical FEMA data and hardware through formal,\n         in the table above consisted of large stacks of\n                                                                     periodic communications and/or security awareness\n         documents or compiled spreadsheets that contained PII\n                                                                     training.\n         for numerous individuals conducting business for or\n         with FEMA.        Exceptions categorized as \xe2\x80\x9cOther\xe2\x80\x99\n         consisted of laptops and other IT assets not physically\n         secured/locked to workspaces, unsecured bank account\n         and government travel card information, and the lack\n         of adequate locking mechanisms on a server room\n         door.\n         Our selection of areas at each facility that were\n         inspected was not statistically derived, and therefore,\n         we are unable to project results to FEMA as a whole.\nFEMA-    As noted during the FY 2009 audit, weaknesses               We recommend that FEMA document and implement                      X      3\nIT-10-   continue to exist over the segregation of duties controls   policies and procedures to limit IFMIS-Merger\n  39     for the migration of IFMIS-Merger changes into              developer access to the production environment to\n         production. Specifically:                                   \xe2\x80\x9cread only\xe2\x80\x9d and segregate the responsibility for\n                                                                     deploying application code changes into production\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 90\n\x0c                                                                                                                                    Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                             Condition                                             Recommendation\n#No                                                                                                                         Issue    Issue Rating\n                                                                  from the development contractor to an independent\n        \xef\xbf\xbd   The FEMA development contractor continues to          control group. If business needs require that the\n            deploy changes into the UNIX production               segregation of duties cannot be immediately\n            environment through the use of the shared             implemented, FEMA should document and implement\n            \xe2\x80\x9cifmiscm\xe2\x80\x9d account. We noted that FEMA change          policies and procedures to mitigate the risk associated\n            management personnel are following SOPs that          with the segregation of duties weakness noted in\n            outline the controls intended to mitigate the risk    accordance with DHS guidance, including a formalized\n            associated with the IFMIS-Merger developers           process for performing and documenting reviews of\n            having the ability to migrate changes to the IFMIS-   activity performed by developers within the IFMIS-\n            Merger production environment. In particular, the     Merger environment.\n            Office of the Chief Financial Officer (OCFO)\n            IFMIS System Change Request (SCR) SOP\n            requires the locking and unlocking of the\n            \xe2\x80\x9cifmiscm\xe2\x80\x9d account by system administrators\n            during the implementation of software changes\n            into production. However, we determined that\n            while the SCR SOP states that system\n            administrators will periodically monitor production\n            directories to detect updates, no formal procedures\n            or processes are included in the SOP or\n            documented elsewhere for detailing how to\n            monitor the directories or the requirements for\n            performing the reviews to verify that only\n            authorized changes to the \xe2\x80\x9cifmiscm\xe2\x80\x9d directory and\n            sub-directories are implemented into production by\n            the developers.\n        \xef\xbf\xbd   We determined that although informal reviews of\n            the directories were performed during the fiscal\n            year, they were not routinely relied upon by FEMA\n            management as they did not provide the level of\n            detail required for adequate monitoring, and\n            FEMA personnel were not able to distinguish the\n            types of changes made to the system from the\n            \xe2\x80\x9cifmiscm\xe2\x80\x9d account.\nFEMA-   As noted during the FY 2009 audit, weaknesses             There is no recommended corrective action specific to               X      3\n\n                   Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                      Page 91\n\x0c                                                                                                                                Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                     New     Repeat Risk\n                              Condition                                           Recommendation\n#No                                                                                                                     Issue    Issue Rating\nIT-10-   continued to exist over the segregation of duties         this finding because of the decommissioning of G&T\n  40     controls for the migration of G&T IFMIS changes into      IFMIS in June 2010.\n         production during FY 2010.\n\n         Specifically, the \xe2\x80\x9cifmiscm\xe2\x80\x9d account was used by the\n         FEMA development contractor to deploy changes into\n         the UNIX production environment. Per our review, we\n         noted that the G&T IFMIS application programmers\n         responsible for maintaining and developing changes for\n         the G&T IFMIS application were also responsible for\n         migrating application code changes into the production\n         environment using the \xe2\x80\x9cifmiscm\xe2\x80\x9d account. We were\n         informed by FEMA personnel that the controls over\n         this account did not change from FY 2009 and that the\n         account remained unlocked while G&T IFMIS was\n         operational between October 2009 and June 2010 when\n         the system was decommissioned. We were further\n         informed by FEMA personnel that access to the\n         \xe2\x80\x9cifmiscm\xe2\x80\x9d account was not limited or monitored on a\n         periodic basis, allowing the development contractor\n         unrestricted access to the production environment.\n\n         Additionally, we noted that FEMA has documented\n         policies and procedures that require the IFMIS-Merger\n         \xe2\x80\x9cifmiscm\xe2\x80\x9d account to be locked and use of the account\n         to be monitored.      However, we noted that no\n         established procedures or controls were in place for\n         G&T IFMIS to mitigate the risk associated with this\n         account.\n\n         Consequently, we determined that while the G&T\n         IFMIS application server was decommissioned in June\n         2010, the weaknesses over segregation of duties\n         controls in the G&T IFMIS configuration management\n         process continued to exist for the majority of FY 2010,\n         and prior year NFR FEMA-IT-09-59 is reissued.\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 92\n\x0c                                                                                                                                        Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\nNFR                                                                                                                             New     Repeat Risk\n                               Condition                                               Recommendation\n#No                                                                                                                             Issue    Issue Rating\nFEMA-    Password, patch management, and configuration                Implement the specific corrective actions listed in the             X      3\nIT-10-   management weaknesses were identified during                 NFR for each technical control weakness identified.\n  41     vulnerability assessment technical testing.\n         Note: Due to the nature of this finding, see the tables\n         in associated NFR for the specific details of the\n         conditions.\nFEMA-    During the FY 2010 integrated audit, we noted the            \xef\xbf\xbd   Update and complete all required C&A artifacts         X               3\nIT-10-   following weaknesses over the completeness and                   for IFMIS-Merger in accordance with DHS policy\n  42     accuracy of certain C&A artifacts that support the               and NIST guidance.\n         Authorizing Official\xe2\x80\x99s decision to grant an ATO for the      \xef\xbf\xbd   Ensure that C&A artifacts, including the risk\n         IFMIS \xe2\x80\x93 Merger:                                                  assessment or the results of the required risk\n         \xef\xbf\xbd   A risk assessment for IFMIS-Merger had not been              assessment activities, the ST&E, and the Security\n             completed or documented prior to granting an                 Assessment Report (SAR) are conducted and\n             ATO, in accordance with DHS and NIST                         documented in accordance with established DHS\n             requirements. Additionally, FEMA does not plan               baseline controls according to the security\n             to conduct and document a risk assessment or the             categorization of the system.\n             results of the required risk assessment activities for\n             IFMIS-Merger as FEMA management has\n             indicated that it is not required for FY 2010.\n         \xef\xbf\xbd   The ATO was signed in June 2010, more than\n             three months after the IFMIS-Merger system was\n             operational in late February 2010.\n         \xef\xbf\xbd   Per our review of the security assessment report,\n             the assessment performed over IFMIS-Merger\n             prior to granting ATO did not include evaluation of\n             any of the controls identified within the SSP. The\n             assessment was limited to vulnerability and\n             compliance scans.\n         \xef\xbf\xbd   The ST&E was not properly conducted because the\n             baseline controls in the Requirements Traceability\n             Matrix were not consistent with DHS\n             requirements.\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 93\n\x0c                                                                                                                                       Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                            New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                            Issue    Issue Rating\nFEMA-    During the FY 2010 integrated audit, we noted that the     We recommend that FEMA update and complete all              X               3\nIT-10-   most recent ATO for NEMIS was signed on October            required C&A artifacts for NEMIS in accordance with\n  43     29, 2009. However, we identified weaknesses in the         DHS policy and NIST guidance.\n         completeness and accuracy of certain C&A artifacts\n         that support the Authorizing Official\xe2\x80\x99s (AO) decision\n         to grant the ATO for NEMIS. Specifically, the NEMIS\n         Risk Assessment, ST&E, and SAR were completed in\n         2006, and thus outdated as DHS policy requires C&A\n         artifacts supporting ATOs to be updated within the 13\n         months prior to granting the most recent ATO, and\n         NIST requires each to be conducted every 3 years.\nFEMA-    Conditions noted in FY 2009 related to weaknesses          We recommend that FEMA document and implement                        X      3\nIT-10-   over controls in place to monitor and restrict access to   appropriate technical and management controls to\n  44     highly-privileged system accounts within the UNIX          restrict and monitor access to privileged system\n         environment that supports IFMIS-Merger and G&T             administrator accounts on the IFMIS-Merger operating\n         IFMIS continue to exist in FY 2010. Specifically:          system, including use of the \xe2\x80\x9croot\xe2\x80\x9d account, in\n                                                                    accordance with DHS and FEMA policy. Additionally,\n         \xef\xbf\xbd   Access to the \xe2\x80\x9croot\xe2\x80\x9d account is not properly           policies and procedures should include requirements to\n             restricted and system administrator activities are     ensure that system logs and records of administrator\n             not appropriately logged.      Specifically, the       activity, including the \xe2\x80\x9croot\xe2\x80\x9d account, are retained and\n             password to access the UNIX \xe2\x80\x9croot\xe2\x80\x9d administrator       reviewed by IT security management independent of\n             account is shared between the administrators and       the system administration team, especially where\n             remote access to the root account is not locked        individual traceability for the account is not possible.\n             down.\n         \xef\xbf\xbd   System administrator actions are not monitored         There is no recommended corrective action specific to\n             and attributable to individual administrators.         the portion of this finding related to G&T IFMIS\n             Specifically, FEMA has not enforced the use of the     because of the decommissioning of G&T IFMIS in\n             \xe2\x80\x9csudo\xe2\x80\x9d command, which requires system                  June 2010.\n             administrators to login with their individual user\n             ID and then switch over to the root account to\n             ensure who is accessing the account is logged and\n             authorized.\n         \xef\xbf\xbd   System logs and reports of administrator activity,\n             including the \xe2\x80\x9csudo\xe2\x80\x9d log which monitors actions\n             performed by administrators while acting as the\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 94\n\x0c                                                                                                                                        Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                             New     Repeat Risk\n                               Condition                                              Recommendation\n#No                                                                                                                             Issue    Issue Rating\n             \xe2\x80\x9croot\xe2\x80\x9d account, were not reviewed by FEMA\n             management personnel independent of the system\n             administration staff.\nFEMA-    In FY 2009, we noted weaknesses over suitability            \xef\xbf\xbd   Further define and refine documented processes to                X      2\nIT-10-   determinations for federal employees and contractors            ensure that background investigations for all\n  45     with sensitive IT system access that continued to exist         Federal employees are performed and procedures\n         in FY 2010. Specifically, of 15 federal employee                are implemented in accordance with DHS\n         positions selected for testing:                                 directives.\n         \xef\xbf\xbd   Three did not have evidence of a completed              \xef\xbf\xbd   Re-evaluate and assign the correct position\n             background investigation on file that met minimum           sensitivity levels to all Federal employees with\n             investigative requirements specified by DHS                 access to DHS information systems in accordance\n             policy.                                                     with DHS policy. Additionally document and/or\n                                                                         revise, and fully implement procedures to ensure\n         \xef\xbf\xbd   For one employee, FEMA was unable to provide                that program managers are aware of requirements\n             any documentation to evidence that the employee\xe2\x80\x99s           and appropriate position sensitivity levels are\n             background investigation was performed and                  designated for all sensitive IT positions in the\n             maintained within ISMS, FEMA\xe2\x80\x99s personnel                    future.\n             suitability and investigation recordkeeping utility.    \xef\xbf\xbd   Document and fully implement procedures within\n                                                                         FEMA Acquisitions, FEMA Personnel Security,\n         \xef\xbf\xbd   Nine that are defined as \xe2\x80\x9chigh risk\xe2\x80\x9d according to           and FEMA IT to ensure a more centralized and\n             FEMA policy did not have an appropriate position\n                                                                         coordinated process for tracking and completing\n             sensitivity designation that reflected the risk level       background investigations over contractor\n             required by DHS policy.                                     personnel in accordance with DHS policy.\n         During our FY 2010 test work over contractors, we           \xef\xbf\xbd   Ensure that all system owners document and\n         determined that no formal procedures have been                  correctly define the appropriate sensitivity\n         developed or implemented by FEMA to address DHS                 designations for contractor personnel needing\n         requirements surrounding the suitability screening of           access to their information systems in accordance\n         contractors accessing DHS IT systems. Additionally,             with DHS policy.        Additionally, ensure that\n         we selected a population of 15 contractors with access          position sensitivity designations are assigned\n         to multiple FEMA information systems who hold                   based on the type of privileges needed, and require\n         sensitive IT security positions at FEMA such as system          contractors to have their suitability investigations\n         administrators, database administrators, and systems            completed prior to being granted access to the\n         development contractors and determined that FEMA                system in accordance with FEMA and DHS\n         has     not    appropriately     conducted   suitability        policy.\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 95\n\x0c                                                                                                                                     Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                          New     Repeat Risk\n                               Condition                                            Recommendation\n#No                                                                                                                          Issue    Issue Rating\n         investigations. Specifically:\n             \xef\xbf\xbd    For two, FEMA was unable to provide any\n                  documentation to evidence that the\n                  contractor\xe2\x80\x99s record was maintained within\n                  ISMS, including the status of any background\n                  investigations performed.\n             \xef\xbf\xbd    Six did not have evidence of a completed\n                  background investigation on file that meets\n                  minimum investigative requirements specified\n                  by DHS policy. Of the six, two had records\n                  maintained within ISMS; however, FEMA\n                  was unable to provide evidence that\n                  background investigations for each were\n                  performed.\n             \xef\xbf\xbd    None had position sensitivity designations\n                  defined by FEMA for the sensitive IT position\n                  they held at the time of our test work, as\n                  required by DHS policy.\nFEMA-    During the FY 2010 integrated audit, we noted             \xef\xbf\xbd   Document and implement a formalized process and                 X      3\nIT-10-   weaknesses in controls over the configuration                 procedures for deploying NEMIS changes to\n  46     management of application, web, and database servers          ensure the movement of production code for the\n         within the NEMIS production environment.                      NEMIS production environment is appropriately\n         Specifically:                                                 controlled.       Procedures      should    include\n                                                                       requirements for restricting and, monitoring access\n         1. Access to the multiple application, web, and               and documenting reviews to the NEMIS\n             database servers that comprise the NEMIS                  production environment to ensure that the\n             production environment for deploying approved             principles of least privilege and segregation of\n             code changes is limited to IT Enterprise Operations       duties are enforced, in accordance with DHS\n             staff.     However, no formalized change                  guidance.\n             management procedures exist for deploying             \xef\xbf\xbd   Ensure that adequate technical controls are\n             changes to ensure the movement of production              implemented to enforce least privilege and\n             code for the NEMIS production environment is              segregation of duties requirements for the\n             appropriately controlled.                                 implementation of system changes. If individual\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 96\n\x0c                                                                                                                                         Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\nNFR                                                                                                                              New     Repeat Risk\n                               Condition                                               Recommendation\n#No                                                                                                                              Issue    Issue Rating\n                                                                          accounts are not possible for deploying changes,\n         2. Access to a shared service account is used for the            implement logical access controls, including\n             deployment of Linux changes. However, FEMA                   configuration of system audit logs, on NEMIS\n             was unable to provide any system documentation               production servers to establish individual\n             or associated artifacts demonstrating that FEMA              accountability for all FEMA personnel with access\n             was appropriately restricting and controlling access         to the environment through the shared service\n             to the NEMIS production application, web, and                account, in accordance with DHS and FEMA\n             database servers.                                            policy. Additionally, for these shared service\n                                                                          accounts, document, implement, and approve\n                                                                          standard      operating     procedures   for     the\n                                                                          implementation and formal review of NEMIS\n                                                                          system changes on production servers.\nFEMA-                                                                 \xef\xbf\xbd   Define and implement formal and repeatable entity                X      2\n         In FY 2009, we noted that FEMA\xe2\x80\x99s OCFO and NFIP\nIT-10-                                                                    level control processes to ensure that financial\n         financial systems development and acquisition projects\n  47                                                                      systems development and acquisition projects are\n         were undertaken and progressed without (1) proper\n         oversight of and direction to contractors, (2)                   conducted in compliance with DHS System\n         development and approval of required project                     Engineering Life Cycle (SELC) and acquisition\n         documentation, (3) the continual involvement of the              requirements as well as Federal guidance. The\n         OCIO to ensure appropriate consideration and                     processes should define steps to include, but are\n         integration of IT security, and (4) the joint                    not limited to, formal approval of required project\n         communication and decision-making of FEMA OCFO,                  documentation, sufficient contractor oversight,\n         OCIO and NFIP management. As a result, we                        definitions of project roles and responsibilities so\n         recommended that FEMA management define and                      that decision making includes the appropriate\n         implement formal and repeatable processes to ensure              involvement of all stakeholders and relevant\n         that financial systems development and acquisition               FEMA management, establishment of ADEs at\n         projects are conducted in compliance with DHS SELC               each SELC phase, and integration of IT security\n         and acquisition requirements as well as Federal                  considerations throughout all project phases.\n         guidance.                                                    \xef\xbf\xbd   Identify and formally assign stakeholders\n                                                                          associated with the remediation efforts over\n         During the FY 2010 integrated audit, we determined               aligning the DHS SELC methodology with\n         that FEMA management has not implemented                         FEMA\xe2\x80\x99s acquisition development process to\n         corrective actions or developed a corrective action plan         ensure appropriate participation from all required\n         to address the prior year weaknesses noted.                      organizations within FEMA in both the\n         Specifically, entity level corrective actions to integrate       development of policies and procedures and\n         and develop sufficient and effective methods of                  integration of the financial systems acquisitions\n         communication to ensure that significant financial-              life cycle stages as required by DHS policy.\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 97\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                           Issue    Issue Rating\n         related system development and acquisition projects\n         involve all relevant stakeholders, including the OCFO,\n         have not been established. Additionally, FEMA\n         management has not taken action to enhance and\n         further develop current acquisition management\n         processes to ensure that organization-specific\n         requirements exist and are implemented so that each\n         project meets organizational mission needs and\n         functional and technical requirements as required by\n         DHS and NIST guidance.\nFEMA-    FEMA IT security management responsibilities were         \xef\xbf\xbd   Establish and document a formalized process to                   X      3\nIT-10-   not consistently or adequately assigned and performed         provide IT security management oversight to\n  48     over the FEMA POA&M process for FY 2009 IT audit              ensure that adequate periodic review and\n         findings, in accordance with DHS guidance.                    assessment of security controls are performed and\n         Specifically:                                                 corrective actions are appropriately assigned and\n                                                                       implemented over identified security weaknesses\n         \xef\xbf\xbd   POA&Ms created by FEMA management in\n                                                                       through the POA&M process.\n             response to FY 2009 IT financial statement audit\n             findings were not consistently categorized with the   \xef\xbf\xbd   Dedicate resources to fully implement DHS\n             appropriate criticality level in accordance with          requirements over the POA&Ms for audit findings\n             DHS policy.       Specifically, for 52 POA&Ms             of FEMA financial systems, including the proper\n             provided by FEMA on May 3, 2010, criticality was          categorization of audit findings, documentation of\n             either undefined or erroneously defined as \xe2\x80\x9cAnnual        all stakeholders with remediation responsibilities,\n             Assessment Finding\xe2\x80\x9d rather than \xe2\x80\x9cInitial Audit            and monitoring of POA&M activities to validate\n             Finding\xe2\x80\x9d or \xe2\x80\x9cRepeat Audit Finding,\xe2\x80\x9d as required.          that corrective actions are appropriately\n                                                                       documented with associated milestones and\n         \xef\xbf\xbd   FEMA management did not consistently document             evidence of remediation is developed and retained.\n             detailed corrective action plans or appropriate       \xef\xbf\xbd   Develop and implement a training program for\n             milestones, including required tests of design and        personnel with IT security responsibilities, such as\n             effective implementation for financial system             system owners and ISSOs, to ensure that they fully\n             POA&Ms.                                                   understand their roles and responsibilities to\n                                                                       correctly categorize the findings, formally define\n         \xef\xbf\xbd   FEMA management did not consistently assign               milestones, and validate the documentation and\n             POA&M stakeholder ownership for corrective\n                                                                       testing of the corrective action implemented.\n             action plans or related milestones.\n                                                                   \xef\xbf\xbd   Develop and implement review procedures to\n                                                                       ensure developed POA&Ms are detailed enough to\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 98\n\x0c                                                                                                                                        Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                             New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                             Issue    Issue Rating\n                                                                        demonstrate that the root cause of the issue has\n                                                                        been assessed and the milestones address the\n                                                                        necessary steps to fully remediate the weaknesses\n                                                                        as required by DHS policy.\nFEMA-    During the FY 2010 follow-up testwork, we                  \xef\xbf\xbd   Dedicate resources to assess the usage of IFMIS-                  X      2\nIT-10-   determined that weaknesses noted in FY 2009 continue           Merger system security functions against DHS\n  49     to exist. Specifically, we determined that no additional       policy requirements and determine gaps that exist\n         policies and procedures to establish a process for             within existing system documentation over the\n         implementing change controls for the maintenance of            security functions.\n         system security functions have been developed by           \xef\xbf\xbd   Develop and implement policies and procedures\n         FEMA or the IT developer of IFMIS-Merger. FEMA                 documenting the process of adding, deleting, and\n         has not adequately ensured that appropriate privileges         modifying       IFMIS-Merger      system     security\n         granted to users are created, documented, and                  functions to ensure that proper controls are in place\n         approved.                                                      for approving, testing and documenting these\n                                                                        functions prior to implementation, in accordance\n         We were informed by FEMA personnel that the system             with DHS policy. These policies and procedures\n         security functions are created and modified to provide         should include requirements over independent\n         additional functionality under specific menus in the           monitoring of the creation, modification and\n         IFMIS-Merger application. As a result, these changes           deletion of system security functions, and\n         to the menu provide additional functionality to the            requirements for updating system documentation\n         users with access to those menus. However, current             to reflect the impact of the changes to user account\n         documentation over IFMIS-Merger, including access              privileges.\n         authorization forms, change management plans and\n                                                                    \xef\xbf\xbd   Develop and implement procedures to ensure that\n         System Security Plans, do not define how to manage\n                                                                        functions updated through the change management\n         and document changes to these functions to ensure that\n                                                                        process are formally approved and documented\n         approved changes are made and appropriate and\n                                                                        and that appropriate system documentation for\n         traceable access is granted to IFMIS-Merger users.\n                                                                        IFMIS-Merger system security functions is\n                                                                        updated and retained, in accordance with DHS\n         While FEMA has received the IFMIS Security\n                                                                        policy.\n         Functions Reference Guide dated 2007 from the\n         software vendor, we determined that the documentation\n         is a technical reference manual that defines the\n         capabilities of the system, usage of the various system\n         security functions, menu options and related\n         permissions for each function. However, the guide\n         does not address the management of these system\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 99\n\x0c                                                                                                                                      Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                               Condition                                              Recommendation\n#No                                                                                                                           Issue    Issue Rating\n         security functions from a change control and access\n         control perspective for FEMA. Additionally, the guide\n         does not include requirements for updating system\n         documentation and tracking these system security\n         function changes to privileges in the system.\n\n         Consequently, based on our testwork, we concluded\n         that a formalized process for modifying specific\n         IFMIS-Merger system security functions to ensure that\n         appropriate privileges are created, documented,\n         approved, and monitored does not exist.\nFEMA-    During the FY 2010 FEMA integrated audit, we                 \xef\xbf\xbd   Implement and require two-factor authentication               X      3\nIT-10-   determined that the following conditions related                 for all remote access to the FEMA network, as\n  50     authorization of external connections to the FEMA                required by DHS policy and FIPS 140-2.\n         VPN continue to exist:                                       \xef\xbf\xbd   Revise and implement policies and procedures for\n         \xef\xbf\xbd   Two-factor authentication is not used for VPN                documenting, reviewing, and approving the\n             access, as required by DHS policy.                           security controls in place over non-DHS\n                                                                          equipment connecting to the FEMA network via\n         \xef\xbf\xbd   The existing documentation that defines the                  VPN access. Specifically, clearly define and\n             process for granting and maintaining VPN access              document a formalized process for the\n             to the FEMA network does not include                         authorization, review, and maintenance of VPN\n             requirements for administering the site survey               access agreements between FEMA and external\n             process, including requirements for the                      entities. Additionally, ensure that within the\n             authorization of the sites surveys, recertification of       policies and procedures, appropriate roles and\n             site surveys, and the security requirements                  responsibilities over the process are defined to\n             associated with the various aspects of the process.          include authorizations by the CISO/ISSM to\n                                                                          connect to non-DHS equipment.\n         \xef\xbf\xbd   FEMA has not formally identified and documented\n                                                                      \xef\xbf\xbd   Ensure that agreements related to VPN access are\n             the roles and responsibilities necessary within              reviewed and recertified when a major system\n             FEMA to properly authorize and administer VPN\n                                                                          change occurs or every three years, in accordance\n             access to individuals using non-DHS equipment to             with DHS policy.\n             access the FEMA network.\n                                                                      \xef\xbf\xbd   Formally identify and document appropriate roles\n         \xef\xbf\xbd   Access for state emergency management agencies               and responsibilities related to management of\n             and FEMA contractors to load the VPN client onto             remote access to the FEMA network, including\n             state or contractor owned equipment to connect to            iPass and VPN.\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 100\n\x0c                                                                                                                                    Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                           Condition                                              Recommendation\n#No                                                                                                                         Issue    Issue Rating\n          the FEMA LAN is approved by the SOC.                   \xef\xbf\xbd   Document and implement policies and procedures\n          However, DHS policy requires that any non-DHS              to ensure that formalized ISAs, MOUs, or MOAs,\n          equipment connecting to a DHS network must be              delineating security responsibilities by FEMA and\n          authorized by the Component CISO/ISSM.                     external organizations when connecting through\n                                                                     non-DHS equipment to the FEMA network via\n      \xef\xbf\xbd   FEMA\xe2\x80\x99s VPN Rules of Behavior for Users Behind\n                                                                     VPN access are used. Such agreements should\n          Corporate Firewalls, dated December 5, 2002,\n                                                                     include evidence of validation by FEMA\n          requires an Inter-Agency VPN Agreement between\n                                                                     management that security controls in place on\n          FEMA and external organizations before\n                                                                     external entity networks are appropriate and satisfy\n          permitting VPN access to the FEMA network\n                                                                     requirements for minimum security controls on\n          through non-Government issued equipment such as\n                                                                     DHS and FEMA systems prior to connection in\n          contractor or state agency workstations. However,\n                                                                     accordance with DHS policy.\n          we determined that Inter-Agency VPN Agreements\n          have not been documented and that this\n          requirement is inconsistent with DHS policy,\n          which requires ISAs or (MOUs/MOAs prior to\n          establishing a VPN connection from equipment\n          operating on an external network.\n      \xef\xbf\xbd   FEMA\xe2\x80\x99s approval of requests for network\n          connections to external organizations through VPN\n          access for remote users is based on security control\n          information submitted by the external entities via\n          site surveys. Based upon our review of existing\n          site surveys and the site survey process, we noted\n          that:\n          \xef\xbf\xbd   The site surveys do not contain the level of\n              technical granularity describing the external\n              network security controls required to\n              appropriately approve a connection to the\n              FEMA LAN, and the FEMA SOC does not\n              independently verify the accuracy of\n              information in the site surveys submitted by\n              external entities prior to approving the\n              connection and subsequently granting VPN\n              access to users.\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 101\n\x0c                                                                                                                                     Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                          New     Repeat Risk\n                              Condition                                            Recommendation\n#No                                                                                                                          Issue    Issue Rating\n             \xef\xbf\xbd   DHS guidance indicates that a single ISA may\n                 be used for multiple connections provided that\n                 the security accreditation is the same for all\n                 connections covered by that ISA. However,\n                 we determined that the security accreditation\n                 of the connecting networks is not being\n                 evaluated by the FEMA SOC during the\n                 review of site surveys to ensure the security\n                 requirements are appropriately implemented.\nFEMA-    In FY 2009, we identified weaknesses over                 \xef\xbf\xbd   Document and implement formalized policies and                  X      3\nIT-10-   configuration management controls related to NEMIS            procedures for restricting and monitoring access to\n  51     program libraries and directories within the TDL              the NEMIS TDL directories to ensure that the\n         environment. During the FY 2010 integrated audit, we          principles of least privilege and segregation of\n         determined that the following weaknesses continue to          duties are enforced, in accordance with DHS\n         exist:                                                        guidance.       The process should include\n                                                                       requirements over periodic monitoring and\n         \xef\xbf\xbd   Controls to segregate access within the TDL\n                                                                       documented reviews of NEMIS TDL directories to\n             environment have not been appropriately\n                                                                       verify that no changes have occurred after the\n             implemented. Specifically, IT Systems Integration\n                                                                       approval of NEMIS system changes.\n             personnel do not grant separate privileges to\n             development code, which is moved to TDL by the        \xef\xbf\xbd   Implement technical controls within the NEMIS\n             systems developer, and pre-production code, which         TDL environment to limit developers\xe2\x80\x99 access to\n             has completed User Acceptance Testing (UAT)               pre-production directories containing \xe2\x80\x9clocked\xe2\x80\x9d\n             and is pending deployment to the NEMIS                    application code changes to \xe2\x80\x9cread only\xe2\x80\x9d. If\n             production environment. As a result, developers           business needs require that the segregation of\n             have read, write and execute privileges to all code       duties cannot be immediately implemented, FEMA\n             in the TDL environment.                                   should document and implement policies and\n                                                                       procedures to compensate for the risk associated\n         \xef\xbf\xbd   Code approved for implementation is not locked            with the segregation of duties weakness noted, in\n             down within the TDL environment prior to                  accordance with DHS guidance.\n             deployment to production. Additionally, while an\n             ad-hoc review is performed over the directories to\n             monitor the modification dates on the production\n             code directories, this process is not performed\n             consistently or documented to mitigate the risk\n             associated with not restricting access to the\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 102\n\x0c                                                                                                                                       Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                            New     Repeat Risk\n                               Condition                                             Recommendation\n#No                                                                                                                            Issue    Issue Rating\n             approved code.\nFEMA-    Conditions noted in FY 2009 related to weaknesses          \xef\xbf\xbd   Document and implement formal policies and                       X      2\nIT-10-   over vulnerability assessments for the Windows server          procedures that outline the processes and\n  52     environment within the NFIP LAN supporting the                 requirements for performing internal vulnerability\n         Traverse application continue to exist in FY 2010.             scans over all NFIP information systems as well as\n         Specifically:                                                  the process for assessing, reporting, and correcting\n         \xef\xbf\xbd   While procedures have been developed, the NFIP             weaknesses identified during scans as required by\n                                                                        FEMA and DHS policy.\n             contractor has not fully implemented the process\n             for conducting internal vulnerability scans for        \xef\xbf\xbd   Ensure that policies and procedures formally\n             information systems and for assessing, reporting,          designate responsibilities of FEMA OCIO and\n             and correcting identified weaknesses through the           NFIP IT security management for the\n             POA&M Process in accordance with FEMA and                  implementation, monitoring, and oversight of the\n             DHS guidance.                                              vulnerability scanning process, so that the scope of\n                                                                        vulnerability scans conducted include all NFIP\n         \xef\xbf\xbd   FEMA does not have documented and approved                 workstations and servers and include requirements\n             procedures that establish formal requirements,             for formally tracking and monitoring the\n             processes, and responsibilities for conducting             remediation of vulnerabilities identified during the\n             monitoring and oversight of regular vulnerability          internal scans of the NFIP LAN through the\n             scans performed over the NFIP LAN which                    POA&M process, in accordance with DHS policy.\n             supports Traverse to meet DHS vulnerability\n             assessment requirements.\n         \xef\xbf\xbd   Furthermore, while ad hoc scans were performed\n             in previous years by the contractor, evidence of\n             periodic NFIP network scanning conducted in FY\n             2010 could not be obtained. Additionally, we\n             inquired with FEMA and determined that scans\n             over the NFIP LAN supporting the Traverse\n             application were not performed by the FEMA\n             SOC.\nFEMA-    During our FY 2010 integrated audit test work, we          \xef\xbf\xbd   Complete the revision, documentation, and full                   X      2\nIT-10-   noted that NFIP has not established or implemented an          implementation of TRRP access control policies\n  53     effective process to periodically recertify user access,       and procedures, and ensure that they include a\n         including service accounts, on the TRRP mainframe.             formalized process for the recertification of all\n         Currently, NFIP requires users to sign security                accounts on the mainframe, including service\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 103\n\x0c                                                                                                                                        Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\nNFR                                                                                                                             New     Repeat Risk\n                               Condition                                              Recommendation\n#No                                                                                                                             Issue    Issue Rating\n         awareness and training certifications on an annual              accounts, on an annual basis to determine that\n         basis. However, no review of users\xe2\x80\x99 access and                  access remains appropriate and commensurate with\n         privileges is conducted by management on a periodic             job responsibilities in accordance with DHS\n         basis to ensure system access remains appropriate and           policy.\n         commensurate with job responsibilities in accordance        \xef\xbf\xbd   Document and implement policies and procedures\n         with DHS guidance.                                              over the creation of service accounts to ensure that\n                                                                         they are appropriately authorized and that a clear\n         Additionally, we noted through inspection of the TRRP           business need is established and documented\n         access procedures that no process has been established          justifying the creation and use of these types of\n         to formally document both the approval and business             accounts in accordance with DHS policy.\n         need for service accounts.\nFEMA-    During the FY 2010 integrated audit, we determined          We recommend that FEMA management conduct and               X               3\nIT-10-   that weaknesses existed in the implementation of DHS        document a lessons learned report related to the\n  54     SELC requirements over the IFMIS-Merger Project.            IFMIS-Merger project per DHS SELC guidance. By\n         Specifically, throughout the lifecycle of the project,      conducting such an activity, FEMA management will\n         FEMA management did not adequately define and               be able to maintain a record of lessons learned in order\n         implement required elements of the DHS SELC                 to increase the probability of success for future\n         process, including:                                         acquisitions through the improvement of processes,\n                                                                     tools, and other project related entities.\n         \xef\xbf\xbd   A detailed and comprehensive Project Tailoring\n             Plan to define required stages, activities, artifacts   Additionally, we determined that the root cause\n             and exit criteria for the project per DHS SELC          associated with the weaknesses noted over the SELC\n             guidance was not developed and approved by              process is related to the entity level control issue\n             FEMA management.                                        identified in FEMA-IT-10-47, FEMA Management\n         \xef\xbf\xbd   Approvals for project critical documentation            Needs to Improve Planning, Management, and\n             demonstrating that all required stakeholders            Communication Related to Financial Systems\n             reviewed and approved the results before                Development and Acquisition Projects. While the\n             advancing to subsequent SELC stages could not be        IFMIS-Merger project has been completed, corrective\n             provided.                                               action over the establishment of a process to provide\n                                                                     oversight to the implementation of the SELC\n         \xef\xbf\xbd   FEMA could not provide a Data Migration Plan            methodology must be completed. Please see NFR\n             and Test Strategy to demonstrate that critical DHS      FEMA-IT-10-47 for recommendations related to the\n             SELC requirements were documented and                   establishment of this process.\n             approved prior to implementation of the data\n             migration.\n\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 104\n\x0c                                                                                                                                        Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                             New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                             Issue    Issue Rating\n         \xef\xbf\xbd   System security requirements and milestones were\n             not documented and integrated into key project\n             documentation, such as Business Requirements\n             documents, project schedules, Project Management\n             Plans, and Risk Management Plans.\n         \xef\xbf\xbd   Project documentation including the Project\n             Management Plan, the Risk Management Plan, and\n             Business Requirements documents were not\n             updated and revised throughout the project\n             duration as required by the DHS SELC.\n         \xef\xbf\xbd   Key information such as roles and responsibilities\n             of all stakeholders, guidelines for developing\n             business        requirements      documentation,\n             requirements for stage reviews, and key exit\n             criteria before moving to the next stage of the\n             project were not integrated into the project\n             schedule, Project Plan, and Communications Plan.\n         \xef\xbf\xbd   FEMA management did not provide adequate\n             oversight of the contractors implementing the\n             IFMIS-Merger Project. Specifically, documented\n             evidence supporting the approval, validation, and\n             retention of required artifacts associated with the\n             data migration and other key project management\n             documents could not be provided by FEMA or\n             were insufficient based on DHS requirements.\n\nFEMA-    During our FY 2010 integrated audit test work, we         \xef\xbf\xbd   Complete the revision, documentation, and full            X               2\nIT-10-   noted the following weaknesses related to the                 implementation of access control policies and the\n  55     management and monitoring of user accounts and                NFIP LAN system account management\n         activity on the NFIP LAN supporting Traverse:                 procedures to align with DHS requirements such as\n                                                                       recertification of accounts and audit log reviews.\n         \xef\xbf\xbd   NFIP has not established or implemented a formal\n                                                                       Specifically, ensure that they include a formalized\n             process to periodically recertify all accounts with\n                                                                       process for the recertification of all accounts on the\n             access to the NFIP LAN supporting Traverse, as\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 105\n\x0c                                                                                                                                     Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\nNFR                                                                                                                          New     Repeat Risk\n                              Condition                                            Recommendation\n#No                                                                                                                          Issue    Issue Rating\n             required by DHS and FEMA policy. Specifically,           NFIP LAN, including service accounts, on an\n             six system and/or service accounts on the FEMA           annual basis to determine if access remains\n             LAN remained active absent an acceptable                 appropriate and commensurate with job\n             documented business need and justification. We           responsibilities in accordance with DHS policy.\n             were informed by NFIP management that these          \xef\xbf\xbd   Document and implement policies and procedures\n             accounts were no longer needed, and they were            over the creation of service accounts to ensure that\n             removed from the system during test work.                they are appropriately authorized and that a clear\n                                                                      business need is established and documented\n         \xef\xbf\xbd   Audit logs generated and reviewed on the NFIP\n                                                                      justifying the creation and use of these types of\n             LAN do not include changes to user account\n                                                                      accounts in accordance with DHS policy.\n             privileges as required by DHS and FEMA policy.\n                                                                  \xef\xbf\xbd   Configure the NFIP LAN audit logs to include\n         \xef\xbf\xbd   Audit logs for the NFIP LAN are not retained for         changes to user account privileges and ensure that\n             at least 90 days, in accordance with DHS policy.         storage capacity settings of audit logs are\n                                                                      configured to retain the logs for 90 days online as\n                                                                      required by DHS and FEMA policy.\nFEMA-    During our FY 2010 integrated audit, we noted the        \xef\xbf\xbd   Develop and implement TRRP audit logging                X               2\nIT-10-   following weaknesses related to the monitoring of user       policies and procedures that include requirements\n  56     accounts and activity on the TRRP mainframe:                 for audit log configurations and the review of logs\n                                                                      by IT security management independent of the\n         \xef\xbf\xbd   Segregation of duties is not properly implemented\n                                                                      system administration team in accordance with\n             over the review and maintenance of TRRP audit\n                                                                      DHS policy.\n             logs. Specifically, the TRRP system administrator\n             is responsible for reviewing TRRP audit logs, and    \xef\xbf\xbd   Configure the TRRP audit logs to include changes\n             a second independent reviewer is not required.           to user account privileges as required by DHS and\n                                                                      FEMA policy.\n         \xef\xbf\xbd   Audit logs generated and reviewed on the TRRP\n             mainframe do not include changes to user account\n             privileges as required by DHS and FEMA policy.\nFEMA-    During our FY 2010 integrated audit test work, we        \xef\xbf\xbd   Develop, document, and fully implement policies         X               2\nIT-10-   noted that NFIP has not established or implemented a         and procedures over documenting, reviewing, and\n  57     formal process to authorize or periodically review           approving remote access to the NFIP LAN hosting\n         remote access to the LAN hosting the TRRP                    the TRRP mainframe environment in accordance\n         mainframe environment in accordance with DHS and             with FEMA and DHS requirements.\n         NIST guidance.                                           \xef\xbf\xbd   Develop, document, and fully implement policies\n                                                                      and procedures to perform a periodic\n                                                                      recertification of all remote user access and retain\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 106\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                              Condition                                              Recommendation\n#No                                                                                                                           Issue    Issue Rating\n                                                                        auditable records as evidence that recertifications\n                                                                        are conducted and completed in accordance with\n                                                                        DHS and FEMA policy.\nFEMA-    While improvements were noted over the                     \xef\xbf\xbd   Ensure the NFIP contractor continues to dedicate                X      2\nIT-10-   documentation of Traverse change management                    resources to establish and implement documented\n  58     procedures during the FY 2010 integrated audit test            policies and procedures over the Traverse change\n         work, we determined that certain weaknesses identified         management process for non-emergency and\n         in FY 2009 continue to exist over the Traverse                 emergency changes which are in line with DHS\n         configuration management process in comprehensively            configuration       management       requirements.\n         addressing FEMA and DHS change management                      Particular emphasis must be placed on approval by\n         policy. For example, we determined that:                       the NFIP CCB and/or TRC, initial change\n                                                                        approvals, testing and testing requirements, final\n         \xef\xbf\xbd   Established procedures do not include guidance for\n                                                                        approvals, and retention of required change\n             initial approvals as we were informed that Traverse\n                                                                        management artifacts to track all changes\n             currently does not fall under review of the NFIP\n                                                                        throughout their lifecycle. These phases should\n             Change Control Board (CCB).\n                                                                        also include an integrated process to address\n         \xef\xbf\xbd   Requirements for managing the change                       system change requirements and stakeholder\n             management program have not been adequately                change requirements to ensure adequate testing\n             established and implemented to ensure that NFIP            and approvals are completed by the appropriate\n             CCB and/or TRC approvals are granted prior to              parties.\n             implementing changes into the Traverse                 \xef\xbf\xbd   Establish and implement a formal process to\n             production environment, as required by FEMA and            conduct user acceptance testing in a test\n             DHS policy.                                                environment prior to implementation in\n                                                                        production.\n         \xef\xbf\xbd   Adequate oversight and involvement from FEMA\n                                                                    \xef\xbf\xbd   Allocate qualified NFIP management and OCIO IT\n             management is not integrated into the                      security resources to provide adequate oversight\n             configuration       management      requirements.\n                                                                        for the configuration management process.\n             Specifically, FEMA is not involved in testing              Oversight      activities   should      encompass\n             and/or reviewing testing and approving changes to          requirements such as a NFIP Program\n             Traverse prior to implementation.\n                                                                        Configuration Management Board responsible for\n         \xef\xbf\xbd   Traverse changes are not required to be tested prior       managing and participating in the NFIP CCB\n             to implementing the change into production as no           and/or TRC to ensure that all required elements in\n             testing environment exists.                                the configuration management process are\n                                                                        formally defined and implemented in accordance\n         \xef\xbf\xbd   Limited testing requirements exist to guide                with DHS and FEMA guidance.\n             personnel in the development of test plans and\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 107\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                              Condition                                              Recommendation\n#No                                                                                                                           Issue    Issue Rating\n             guidance over the testing that should be performed\n             and documented. Additionally, roles and                \xef\xbf\xbd   Dedicate the resources to fully review and finalize\n             responsibilities over test plan procedures to ensure       approval of all NFIP contractor\xe2\x80\x99s configuration\n             that plans are sufficient, document expected               management policies and procedures to ensure the\n             outcomes, and are reviewed and approved prior to           revised procedures are compliant with DHS\n             development, are not documented.                           requirements.\n\n         \xef\xbf\xbd   Requirements for Traverse emergency changes\n             have not been formally defined.\nFEMA-    While improvements were noted over the                     \xef\xbf\xbd   Ensure the NFIP contractor continues to dedicate                X      2\nIT-10-   documentation of TRRP change management                        resources to establish and implement documented\n  59     procedures during the FY 2010 integrated audit                 policies and procedures over the TRRP change\n         testwork, we determined that certain weaknesses                management process for non-emergency and\n         identified in FY 2009 continue to exist over the TRRP          emergency changes which are in line with DHS\n         configuration management process in comprehensively            configuration       management        requirements.\n         addressing FEMA and DHS change management                      Particular emphasis must be placed on initial\n         policy. For example, we determined that:                       change approvals, testing and testing requirements,\n                                                                        final approvals, and retention of required change\n         \xef\xbf\xbd   Requirements for managing the change\n                                                                        management artifacts to track all changes\n             management program have not been adequately\n                                                                        throughout their lifecycle. These phases should\n             established and implemented to ensure that CCB\n                                                                        also include an integrated process to address\n             and/or TRC approvals are granted prior to\n                                                                        system change requirements and stakeholder\n             implementing changes into the TRRP production\n                                                                        change requirements to ensure adequate testing\n             environment, as required by FEMA and DHS\n                                                                        and approvals are completed by the appropriate\n             policy. Specifically:\n                                                                        parties.\n             \xef\xbf\xbd   While a CCB has been established by NFIP           \xef\xbf\xbd   Allocate qualified NFIP management and OCIO IT\n                 management,     adequate   oversight      and          security resources to provide adequate oversight\n                 involvement from FEMA management has not               for the configuration management process.\n                 been integrated into the configuration                 Oversight      activities    should      encompass\n                 management       requirements       including          requirements such as a NFIP Program\n                 mandatory FEMA participation in the CCB                Configuration Management Board responsible for\n                 and CCB approval of changes after testing has          managing and participating in the NFIP CCB\n                 occurred.                                              and/or TRC to ensure that all required elements in\n                                                                        the configuration management process are\n             \xef\xbf\xbd   FEMA management, including IT security and             formally defined and implemented in accordance\n                 financial personnel, are not involved in testing       with DHS and FEMA guidance.\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 108\n\x0c                                                                                                                                   Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                                                        New     Repeat Risk\n                           Condition                                              Recommendation\n#No                                                                                                                        Issue    Issue Rating\n              and/or reviewing testing and approving             \xef\xbf\xbd   Dedicate the resources to fully review and finalize\n              changes to TRRP prior to implementation.               approval of all NFIP contractor\xe2\x80\x99s configuration\n                                                                     management policies and procedures to ensure the\n          \xef\xbf\xbd   CCB reviews are not conducted for approval\n                                                                     revised procedures are compliant with DHS\n              of final changes prior to implementation into\n                                                                     requirements.\n              production as required by FEMA and DHS\n              guidance.\n      \xef\xbf\xbd   Limited testing requirements exist to guide\n          personnel in the development of test plans and\n          guidance over the testing, including user\n          acceptance testing, that should be performed and\n          documented prior to approval and implementation\n          into production. Additionally, roles and\n          responsibilities over test plan procedures to ensure\n          that plans are sufficient, document expected\n          outcomes, and are reviewed and approved prior to\n          development, are not documented.\n      \xef\xbf\xbd   Requirements for TRRP emergency changes have\n          not been formally defined in writing.\n\n      Furthermore, we performed testwork over initial and\n      final approvals for a selection of 25 TRRP changes\n      made in FY 2010 and noted the following exceptions:\n      \xef\xbf\xbd   Documentation for 3 of the 25 changes could not\n          be provided\n      \xef\xbf\xbd   17 of 22 changes tested did not have initial\n          approvals documented prior to developing the\n          change\n      \xef\xbf\xbd   9 of 22 changes tested changes did not have all the\n          required approvals prior to implementation\n      \xef\xbf\xbd   1 of 22 changes tested was implemented prior to\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 109\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                           Issue    Issue Rating\n             change documentation being completed\nFEMA-    Weaknesses identified in FY 2009 related to controls to   \xef\xbf\xbd   In accordance with policy, enforce requirements                  X      2\nIT-10-   restrict access and control movement of Traverse              over individual user accounts by not allowing\n  60     program libraries and data continue to exist in FY            vendors to a use a system administrator\xe2\x80\x99s account\n         2010. Specifically:                                           to access the system and deploy changes into\n                                                                       production.\n         \xef\xbf\xbd   Implementation procedures over Traverse changes       \xef\xbf\xbd   Document and implement policies and procedures\n             have not been established, and current processes do       to limit Traverse developer and application support\n             not incorporate segregation of duties requirements.       vendor access to the NFIP production environment\n             Specifically, NFIP IT contractors use their               to \xe2\x80\x9cread only\xe2\x80\x9d through an assigned user account\n             individually assigned system administrator                and segregate the responsibility for deploying\n             accounts to logon and create sessions to allow a          application code changes into production from the\n             third-party development vendor to install Traverse        development/support vendor to an independent\n             system changes.                                           control group. Additionally, procedures should\n                                                                       include implementation process requirements for\n         \xef\xbf\xbd   NFIP does not have a formal process for                   controlling access to production directories. If\n             monitoring changes that the vendor makes in               business needs require that the segregation of\n             Traverse while logged in as an administrator.             duties cannot be immediately implemented, FEMA\n                                                                       should document and implement policies and\n                                                                       procedures to mitigate the risk associated with the\n                                                                       segregation of duties weakness noted in\n                                                                       accordance with DHS guidance, including a\n                                                                       formalized     process     for    performing     and\n                                                                       documenting reviews of activity performed by\n                                                                       third-party vendors within the Traverse\n                                                                       environment.\nFEMA-    As noted during the FY 2009 audit, weaknesses over        \xef\xbf\xbd   Develop, document, and fully implement an IT                     X      2\nIT-10-   contingency planning for both the Traverse and TRRP           Contingency Plan for NFIP components, including\n  61     systems continue to exist in FY 2010. Specifically:           TRRP and Traverse. Additionally, ensure that\n                                                                       contingency planning documentation includes\n         \xef\xbf\xbd   While the NFIP Legacy System Services\n                                                                       detailed instructions for restoring operating system\n             (NFIP/LSS) Contingency Plan, which pertains to\n                                                                       software and critical applications in the event of a\n             the contingency planning around Traverse and the\n                                                                       disaster, contingency, or disruption of service in\n             NFIP LAN, has been updated for FY 2010, the\n                                                                       accordance with DHS and NIST policy\n             following elements are not in compliance with\n                                                                       requirements for systems categorized at the high\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 110\n\x0c                                                                                                                                    Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                                                         New     Repeat Risk\n                            Condition                                              Recommendation\n#No                                                                                                                         Issue    Issue Rating\n          DHS and NIST requirements:                                  impact availability objective.\n                                                                  \xef\xbf\xbd   Conduct and document annual tests of the TRRP\n          \xef\xbf\xbd   The NFIP/LSS IT Contingency Plan does not\n                                                                      and Traverse IT Contingency Plan(s) that address\n              document detailed instructions for restoring\n                                                                      all critical phases of the plan(s), and update\n              operating systems and critical applications in\n                                                                      contingency planning documentation with lessons\n              the event of a disaster, contingency, or\n                                                                      learned, as necessary and in accordance with DHS\n              disruption of service.\n                                                                      and NIST requirements.\n          \xef\xbf\xbd   The NFIP/LSS IT Contingency Plan does not           \xef\xbf\xbd   Dedicate resources to establish and implement an\n              designate the current alternate processing              alternate processing site for the NFIP systems in\n              facility for the operating environment.                 accordance with DHS policy requirements.\n                                                                  \xef\xbf\xbd   Until an alternate processing site is established,\n          \xef\xbf\xbd   Testing of the NFIP/LSS IT Contingency Plan\n                                                                      develop and submit an exception for approval in\n              has not been performed in the 12 months, as             accordance with DHS policy, and ensure that\n              required by DHS policy.                                 compensating controls over the lack of an alternate\n      \xef\xbf\xbd   FEMA and NFIP management have not                           processing site have been implemented and are\n          documented or approved a current IT Contingency             effective, and documentation of their effectiveness\n          Plan for the mainframe environment supporting the           is maintained as auditable records.\n          TRRP system in accordance with FEMA and DHS             \xef\xbf\xbd   Document, implement, and maintain the NFIP\n          requirements.                                               COOP to ensure required elements for Traverse\n                                                                      and TRRP are included in accordance with DHS\n      \xef\xbf\xbd   Contingency testing over TRRP was not                       guidance for high impact systems.\n          sufficiently conducted in accordance with DHS\n          and NIST requirements. While a limited disaster\n          recovery test of the NFIP mainframe environment,\n          including TRRP, was performed in October 2009\n          to test restoration of data, all elements required to\n          be tested under the DHS requirements for an IT\n          Contingency Plan were not sufficiently addressed\n          and could not be used to validate the effectiveness\n          of the organization\xe2\x80\x99s contingency planning\n          controls.\n      \xef\xbf\xbd   The NFIP contractor\xe2\x80\x99s Continuity of Operation\n          Plan (COOP) for Traverse and TRRP could not be\n          provided for auditor review.\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 111\n\x0c                                                                                                                                      Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\nNFR                                                                                                                           New     Repeat Risk\n                              Condition                                             Recommendation\n#No                                                                                                                           Issue    Issue Rating\nFEMA-    Conditions noted in FY 2009 related to weaknesses         \xef\xbf\xbd   Document and establish a centralized and                         X      3\nIT-10-   over the NEMIS configuration management process               integrated change management process over\n  62     continue to exist in FY 2010. Based on our testwork,          NEMIS to ensure that adequate controls are\n         we concluded that NEMIS configuration management              implemented throughout the lifecycle of the\n         is not adequately and centrally controlled, documented,       configuration management process, in accordance\n         or managed throughout the lifecycle of the FEMA               with DHS and FEMA policy.\n         configuration management process. Specifically, we        \xef\xbf\xbd   Formally      designate     FEMA       management\n         identified the following weaknesses:                          responsibilities for oversight and implementation\n         \xef\xbf\xbd   NEMIS configuration management policy and                 of controls for initiating, monitoring, testing, and\n             procedures which outline FEMA\xe2\x80\x99s responsibilities          approving all NEMIS non-emergency and\n             and processes for initiating, monitoring, testing,        emergency changes;\n             and approving NEMIS non-emergency and                 \xef\xbf\xbd   Establish a centralized, formal process to monitor,\n             emergency changes that are developed under the            document, and track NEMIS software changes\n             various development contracts have not been               throughout the configuration management\n             documented and approved by FEMA management,               lifecycle, from initial approval through\n             in accordance with DHS and FEMA policy.                   implementation into the production environment.\n\n         \xef\xbf\xbd   FEMA does not have a centralized program\n             management function or process to monitor and\n             track NEMIS Software Change Requests (SCRs)\n             throughout the configuration management\n             lifecycle, from initial approval through\n             implementation into the production environment.\nFEMA-    During the FY 2010 integrated audit, we noted             \xef\xbf\xbd   Revise, document and fully implement a                  X               2\nIT-10-   weaknesses over the IFMIS-Merger Configuration                comprehensive        configuration     management\n  63     Management Plan.      Based on our testwork, we               program      that    includes    a    Configuration\n         concluded that the IFMIS configuration management             Management Plan for IFMIS-Merger, which aligns\n         process does not meet comprehensive change                    with all applicable DHS and FEMA requirements\n         management process requirements and procedures as             and reflects the current IFMIS-Merger operating\n         required by DHS and NIST guidance because it is not           environment and all applicable IT components.\n         adequately documented. For example, we identified         \xef\xbf\xbd   Include in policies and procedures (a) clearly\n         the following weaknesses:                                     defined and formalized responsibilities for change\n         \xef\xbf\xbd   The IFMIS CMP provided in July 2010 is in draft           management oversight bodies including a\n             and has not been updated to reflect the new IFMIS-        Configuration/Change Control Board and (b)\n                                                                       sufficiently     detailed    responsibilities  and\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 112\n\x0c                                                                                                                                Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                                                     New     Repeat Risk\n                           Condition                                          Recommendation\n#No                                                                                                                     Issue    Issue Rating\n          Merger operating environment. Specifically, the        requirements for security impact analyses, test plan\n          plan includes Core IFMIS and G&T IFMIS, but            development, and approval for non-emergency and\n          does not address the IFMIS-Merger instance that        emergency change procedures.\n          began operations in February 2010.\n      \xef\xbf\xbd   Infrastructure information for the in-scope\n          applications does not include the server\n          information for G&T IFMIS, which was\n          operational when the plan was last revised in\n          November 2009.\n      \xef\xbf\xbd   The CCB has not been formally and fully\n          integrated into the FEMA change management\n          process. While we were informed that a CCB for\n          IFMIS was established on March 22, 2010, we\n          determined that the requirements over the roles and\n          responsibilities as well as the membership of the\n          CCB were not clearly defined, implemented, and\n          documented to ensure that DHS requirements are\n          met.\n      \xef\xbf\xbd   Membership of the \xe2\x80\x9cSCR Review Team\xe2\x80\x9d\n          responsible for initial approval for development of\n          any changes to the application is not formally\n          defined.\n      \xef\xbf\xbd   Requirements that security impact analyses be\n          performed prior to implementation of changes have\n          not been documented.\n      \xef\xbf\xbd   Limited testing requirements exist to guide FEMA\n          personnel in the development of test plans and\n          guidance over the testing that should be performed\n          and documented. Additionally, roles and\n          responsibilities over test plan procedures to ensure\n          that plans are sufficient, document expected\n          outcomes, and are reviewed and approved prior to\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 113\n\x0c                                                                                                             Appendix B\n                                            Department of Homeland Security\n                                        Information Technology Management Letter\n                                                   September 30, 2010\n\nNFR                                                                                                  New     Repeat Risk\n                          Condition                                  Recommendation\n#No                                                                                                  Issue    Issue Rating\n          development, are not documented.\n      \xef\xbf\xbd   Requirements over emergency changes have not\n          been defined in writing.\n\n\n\n\n                Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                   Page 114\n\x0c                                                                             Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n            Department of Homeland Security\n FY 2010 Information Technology - Notice of Findings and\n               Recommendations \xe2\x80\x93 Detail\n\n          \xef\xbf\xbd Federal Law Enforcement Training Center\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 115\n\x0c                                                                                                                                  Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\n                                       Notice of Findings and Recommendations \xe2\x80\x93 Detail\n                                        Federal Law Enforcement and Training Center\n\n NFR                                                                                                                      New     Repeat   Severity\n                               Condition                                          Recommendation\n #No                                                                                                                      Issue    Issue    Rating\nFLETC-     During our FY 2010 review of FLETC\xe2\x80\x99s configuration      The FLETC management will update and enforce            X                   2\nIT-10-01   management policies and procedures, we noted that       current procedures to ensure changes are fully\n           FLETC does not conduct the following:                   documented throughout the change control process\n           \xef\xbf\xbd Momentum and Glynco Area Network (GAN)                to include the results of testing the change, review\n              changes are not being documented throughout the      of the change test results, and final approval to\n              change control process from the testing of changes   proceed with the implementation.\n              to the final approval of the changes prior to\n              implementation, and;\n           \xef\xbf\xbd Distribution and implementation of Momentum\n              and GAN changes are not being controlled.\n\nFLETC-     During the FY 2009 financial statement audit, we        Due to remediation of this finding within the fiscal             X          3\nIT-10-02   noted several weaknesses with the logical access        year, no recommendation is required.\n           controls for the Glynco Administrative Network\n           (GAN).\n\n           During our review in FY 2010, we reviewed the\n           logical access controls over the GAN. Per our review,\n           we noted that FLETC has remediated all of the logical\n           access controls over the GAN; however, KPMG noted\n           that the GAN was configured to reset the lockout\n           counter after 20 minutes. This does not meet the DHS\n           4300A requirement of 24 hours. Upon notification,\n           FLETC immediately remediated the configuration\n           issue. However, the configuration was inappropriately\n           configured for the majority of the fiscal year.\n\nFLETC-     In FY 2009, KPMG conducted After-Hours                  Finance Division, Building 66 Safeguarding of PII                X          3\nIT-10-03   walkthrough testing to complement our IT audit          and Credit Card data: Modifications to Building\n           testing efforts as part of the FY 2010 DHS Financial    66 have recently been completed which provide\n           Statement Audit and Audit of Internal Control over      secure file storage rooms and entry controls for all\n           Financial Reporting. We also performed after-hours      access points in the building. An SOP will be\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 116\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n NFR                                                                                                                        New     Repeat   Severity\n                                Condition                                            Recommendation\n #No                                                                                                                        Issue    Issue    Rating\n           physical security testing to identify risks related to     drafted to address Safeguarding of PII and Credit\n           non-technical aspects of IT security. These non-           Card data in the Finance Division, implement use\n           technical IT security aspects include physical access to   of the secure file storage rooms, and address entry\n           equipment that houses financial data and information       controls for access points in the building. This\n           residing on the desks of FLETC personnel, which            will be developed and implemented by November\n           could be used by others to inappropriately access          15, 2010. Additionally, specific requirements for\n           financial information.                                     Safeguarding of PII and Credit Card data will be\n                                                                      added to each Finance Division employee\xe2\x80\x99s FY\n           For our review in FY 2010 follow up test work was          2011 (and future) Annual Performance Work Plan\n           performed at various FLETC buildings in the Glynco,        to ensure there is no misunderstanding regarding\n           Georgia complex. The designated FLETC Technical            each employee\xe2\x80\x99s responsibilities in this area.\n           Point of Contact and representatives from the DHS\n           Office of Inspector General, the DHS Office of             Finance Office, Building 66 User Name and\n           Information Security, and the FLETC Office of              Passwords: Remedial training will be conducted\n           Physical Security accompanied KPMG to monitor              regarding safeguarding User Name and Passwords.\n           testing and validate the results. After gaining access     Additionally,     specific    requirements     for\n           to the facilities, we inspected a random selection of      safeguarding User Name and Passwords will be\n           desks and offices, looking for items such as improper      added to each Finance Division employee\xe2\x80\x99s FY\n           protection of system passwords, unsecured                  2011 (and future) Annual Performance Work Plan\n           information system hardware, documentation marked          to ensure there is no misunderstanding regarding\n           FOUO, and unlocked network sessions. Our selection         each employee\xe2\x80\x99s responsibilities in this area.\n           of desks and offices was not statistically derived, and\n           therefore we are unable to project results to the          For the CIO Operations and Support Division\n           component or department as a whole. We reviewed            (OSD) in Bldg 681, remedial training will be\n           over 90 desks and cubicles within the four locations.      conducted to ensure employees and contractors\n                                                                      lock their doors and safeguard sensitive\n                                                                      information. OSD will ensure the workstation\n                                                                      screensaver feature is enabled on its workstations.\n\nFLETC-     During the FY 2009 financial statement audit, KPMG         FLETC\xe2\x80\x99s current SIM solution provides no                        X          2\nIT-10-04   determined that logs of auditable events in the Gylnco     capability to correlate or aggregate audit logs\n           Administrative Network (GAN) are not being                 which results in an arduous, un-trackable and\n           reviewed to identify potential incidents.                  unmanageable audit log review process when\n                                                                      handling millions of records each day. FLETC is\n           During our FY 2010 review, KPMG determined that            currently in the process of procuring ArcSight\n           FLETC has implemented the Security Information             ESM as a replacement SIM solution to address\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 117\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n NFR                                                                                                                        New     Repeat   Severity\n                                Condition                                           Recommendation\n #No                                                                                                                        Issue    Issue    Rating\n           Management System (SIM) with capabilities to              these and other shortcomings with the current\n           manage and store logs of auditable events. However,       solution. ArcSight ESM allows for both simplified\n           we determined that management does not have a             and exceptionally complex event correlation rule\n           formal process for reviewing the audit logs on a          authorship.\n           periodic basis.\n                                                                     FLETC will deploy the ArcSight ESM solution\n                                                                     during FY 2011. Users, such as ISSOs, will be\n                                                                     provided focused dashboards with correlated\n                                                                     information pertinent to their areas of\n                                                                     responsibility. Audit logs will be reviewed as\n                                                                     correlated and aggregated data and can be drilled\n                                                                     down to in detail and reviewed when suspicious or\n                                                                     anomalous records are found. Customized reports\n                                                                     and automated alerts will be configured for each\n                                                                     system and tailored for the audit log reviewer.\n                                                                     Audit logs of access to the SIM itself will also be\n                                                                     generated and reviewed to ensure users such as\n                                                                     ISSO\xe2\x80\x99s and the SOC are utilizing the system and\n                                                                     reviewing audit records and responding to the\n                                                                     configured automated alerts in a timely manner.\n\nFLETC-     During the FY 2009 financial statement audit, KPMG        FLETC has implemented profile logging,                           X          3\nIT-10-05   determined that access control weaknesses existed         however, due to the overwhelming volume of\n           over Momentum access authorizations for user\xe2\x80\x99s            events logged by the system, this has proven to be\n           profiles created or modified during the fiscal year.      unusable in terms of identifying relevant activity.\n                                                                     FLETC is working to better analyze and manage\n           During the FY 2010 financial statement audit, KPMG        the profile logging reports. An SOP will be\n           determined that access control weaknesses still existed   drafted to implement management oversight for\n           over Momentum access authorizations for user\xe2\x80\x99s            Momentum access authorizations for user\xe2\x80\x99s\n           profiles created or modified during the fiscal year.      profiles created or modified during the fiscal year.\n           Specifically, we learned that new users and profile       This process will be developed and implemented\n           changes are not being tracked by FLETC.                   by November 30, 2010.\n\nFLETC-     During the FY 2009 financial statement audit, we          The FLETC will update the existing Risk                          X          2\nIT-10-06   noted several weaknesses around access controls for       Acceptance to include the password exceptions\n           the Student Information System (SIS) including:           noted in the condition above.\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 118\n\x0c                                                                                                             Appendix B\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2010\n\nNFR                                                                                                  New     Repeat   Severity\n                           Condition                                 Recommendation\n#No                                                                                                  Issue    Issue    Rating\n          \xef\xbf\xbd   SIS is configured to have a password history\n              of two passwords stored.\n          \xef\xbf\xbd   SIS is not configured to reset the account\n              failed logon counter\n          \xef\xbf\xbd   Users were not locked out after three invalid\n              access attempts.\n          \xef\xbf\xbd   SIS system administrators share a \xe2\x80\x98root\xe2\x80\x99\n              username and password to perform\n              administrative responsibilities.\n          \xef\xbf\xbd   A sample of audit logs that track changes to\n              system data could not be provided.\n          \xef\xbf\xbd   User profile creation is not tracked and a\n              listing of profile creation dates could not be\n              provided.\n          \xef\xbf\xbd   Evidence of periodic review of user accounts\n              could not be provided.\n\n      In FY 2010, we inquired with FLETC and noted that\n      although some corrective actions have taken place, the\n      following has not yet been implemented.\n           \xef\xbf\xbd Users are not being locked out after 3 invalid\n              attempts.\n           \xef\xbf\xbd SIS password length minimum is configured a\n              minimum of six.\n           \xef\xbf\xbd SIS does not require a combination of\n              alphabetic, numeric, and special characters.\n           \xef\xbf\xbd Audit logs that track changes to system data\n              are not being reviewed.\n           \xef\xbf\xbd Profile creation and changes are not being\n              tracked and a listing of profile updates could\n              not be provided.\n           \xef\xbf\xbd Periodic review of user accounts is not being\n              conducted.\n\n\n                Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                   Page 119\n\x0c                                                                              Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n            Department of Homeland Security\n FY 2010 Information Technology - Notice of Findings and\n               Recommendations \xe2\x80\x93 Detail\n\n            \xef\xbf\xbd Immigration and Customs Enforcement\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 120\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n                                         Notice of Findings and Recommendations \xe2\x80\x93 Detail\n                                              Immigration and Customs Enforcement\n\n NFR                                                                                                                        New     Repeat   Severity\n                                Condition                                            Recommendation\n #No                                                                                                                        Issue    Issue    Rating\nICE-IT-   During the FY 2009 financial statement audit, KPMG          ICE should establish and implement a policy                     X          3\n 10-01    performed an inspection of a sample of personnel that       governing the exit clearance process, identifying\n          had terminated/transferred from their employment            the procedures separating employees and\n          with ICE during the fiscal year. KPMG requested             contractors must take to ensure the return and\\or\n          evidence that exit clearance forms were completed for       safeguarding of government property, equipment,\n          each employee to determine ICE management\xe2\x80\x99s                 and systems; and the roles and responsibilities of\n          compliance with exit clearance procedures. Of the 25        ICE offices involved in the exit clearance process.\n          terminated/transferred ICE personnel sampled,\n          evidence of compliance with exit clearance procedures\n          could not be provided for 12 employees.\n\n          During the FY 2010 financial statement audit, KPMG\n          was informed that a policy and procedure has not been\n          developed for the Personnel Exiting Process. ICE\n          management stated that the Office of Human Capital\n          (OHC) has implemented a multi-year mission action\n          plan to address this and various other issues, but there\n          has been no corrective action taken at this time.\n\nICE-IT-   During the FY 2009 audit, KPMG inquired of ICE              ICE should update the FFMS password                             X          3\n 10-02    OCIO personnel about FFMS password settings. We             configuration settings to ensure that they are in\n          determined that the FFMS password settings require          compliance with DHS 4300A policies.\n          the use of an underscore and does not allow the use of\n          any other special characters such as !, @, #, $, %, or *,\n          which is not compliant with DHS policy. The DHS\n          policy requires that passwords contain a combination\n          of alphabetic, numeric, and special characters.\n\n          During the FY 2010 audit, we performed follow-up\n          inquiry to determine the status of this weakness and\n          learned that the FFMS password setting control\n          weakness has not been remediated. ICE management\n\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 121\n\x0c                                                                                                                                  Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                      New     Repeat   Severity\n                               Condition                                           Recommendation\n #No                                                                                                                      Issue    Issue    Rating\n          stated that a change to the system has been requested\n          to include two additional characters in the password\n          complexity. The special characters that will be added\n          once the change is implemented are the #, $, and\n          underscore. KPMG noted that Oracle uses the\n          following characters (!, @, %, ^, &, *) as function\n          key, therefore, they cannot be included in the\n          password complexity. The remediation completion\n          date is scheduled for November 2010.\n\nICE-IT-   During the FY 2009 audit, KPMG inquired of ICE            ICE management should establish and implement                   X\n 10-03    OCIO personnel about the process for recertifying         policies and procedures to formally document the\n          FFMS user access (review of access privileges) and        recertification of FFMS user privileges. This\n          found that this process is not formally documented.       activity is the responsibility of OFM and the ISSO.\n          Furthermore, KPMG found that the review for the           This process should include a method to document\n          access privileges for each FFMS account is not            user recertification and a process to maintain\n          adequately recorded and no audit trail is available to    evidence of the reviews.\n          support that a recertification was completed.\n\n          During the FY 2010 financial statement audit, we\n          performed follow-up inquiry to determine the status of\n          this weakness and learned that procedures have been\n          documented and implemented for the FFMS\n          recertification process, however, a formal policy has\n          not been documented. KPMG found that users\xe2\x80\x99\n          logical access privileges were reviewed, recorded, and\n          maintained, therefore this portion of the PY NFR as\n          been remediated. However, per inquiry with ICE\n          management, KPMG found that a formal policy still\n          does not exist for the recertification of FFMS\n          accounts.\nICE-IT-   During the FY 2009 financial statement audit, KPMG        ICE should enforce policies and procedures to                   X          3\n 10-04    performed an inspection of a listing of FFMS users        ensure that assigned roles and responsibilities are\n          and their assigned roles/responsibilities and             commensurate with personnel job functions.\n          determined that six users had Originator, Funds\n          Certification Official, and Approving Official profiles\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 122\n\x0c                                                                                                                                   Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                       New     Repeat   Severity\n                               Condition                                           Recommendation\n #No                                                                                                                       Issue    Issue    Rating\n          that were in violation of FFMS segregation of duties\n          policies.\n\n          During the FY 2010 financial statement audit, we\n          performed follow-up inquiry to determine the status of\n          this weakness and learned that draft FFMS segregation\n          of duty policy is in place, but, is not being followed.\n          In addition, KPMG inspected a listing of FFMS users\n          and their assigned roles/responsibilities and\n          determined that one user had Originator, Funds\n          Certification Official, and a Approving Official\n          profile, which is a violation of the FFMS segregation\n          of duties policy.\n\nICE-IT-   During the FY 2010 financial statement audit, KPMG        ICE Office of Financial Management (OFM) will           X                   3\n 10-05    determined that FFMS audit logs were not generated        finalize, seek approval, and formally implement\n          or reviewed during the period October 2009 through        the draft policy and procedures. In the meantime,\n          February 2010. As of March 2010, the logs were            the draft policy will be used to provide an accurate\n          generated and reviewed, however, no supporting            audit log.\n          evidence could be provided.        Additionally, we\n          determined that audit log policy and procedures have\n          been drafted, however, they have not been finalized,\n          approved, and implemented.\n\nICE-IT-   During the FY 2009 financial statement audit, KPMG        Ensure implementation of the ICE Exit Clearance                  X          3\n 10-06    determined that weaknesses exist over ADEX access.        Directive which will establish the process for\n          Specifically, KPMG found that 14 users, which were        separating employees, both Federal and\n          separated from ICE, still had active ADEX accounts        contractors, and formalize a process to ensure that\n          that were not removed upon their termination/transfer.    separating employees have their access to all ICE\n                                                                    information technology systems removed.\n          During the FY 2010 financial statement audit, we\n          performed follow-up inquiry to determine the status of\n          this weakness and learned that ICE has implemented a\n          compensating control that will disable users account\n          after 45 days of inactivity to mitigate the control\n          weakness. However, KPMG found that a separated\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 123\n\x0c                                                                                                                               Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                   New     Repeat   Severity\n                               Condition                                          Recommendation\n #No                                                                                                                   Issue    Issue    Rating\n          employee\xe2\x80\x99s account was not disabled in a timely\n          manner as the account was accessed after the\n          employee\xe2\x80\x99s termination date. Therefore, the 45-day\n          window was inappropriately delayed. In addition, we\n          determined that DHS access controls policies are not\n          being followed as users are not properly identified and\n          authenticated. Based on ICE management\xe2\x80\x99s response\n          to this weakness \xe2\x80\x9ceither another user logged on as the\n          terminated user or Information Technology Field\n          Officer (ITFO) logged in using the terminated\n          employee\xe2\x80\x99s credentials.\xe2\x80\x9d\nICE-IT-   During the FY 2010 financial statement audit, KPMG        As of July 2010 FFMS has been moved from the        X                   2\n 10-07    determined that several physical and environmental        Department of Commerce OCS to Data Center 2\n          controls exist within the OCS Datacenter. Specifically,   (DC2). DC2 will be reviewed and monitored to\n          we noted the following:                                   ensure compliance with all physical and data\n               \xef\xbf\xbd OCS Data Center Risk Assessment is not             security requirements.\n                   documented.\n               \xef\xbf\xbd Re-entry procedures for personnel after an\n                   emergency evacuation are not documented.\n               \xef\xbf\xbd Fire suppression testing documentation is not\n                   maintained.\n               \xef\xbf\xbd Water damage was visible on the data center\n                   wall where FFMS servers are housed with no\n                   incident report of the event.\n               \xef\xbf\xbd UPS testing documentation is not maintained.\nICE-IT-   During the FY 2010 financial statement audit, we          Ensure that environmental systems (Heat             X                   2\n 10-08    determined that the environmental controls in the PCN     Ventilation Air Conditioner, fire extinguishers,\n          computer room need improvement. Specifically, we          and Universal Power Supply) are tested annually\n          found that environmental test results are not             with test results made available for review.\n          documented and maintained for the following devices:\n          AC units, fire extinguishers, and back-up power\n          supply.\nICE-IT-    Social engineering is defined as the act of attempting   Social Engineering is covered in the Annual                  X          3\n 10-09     to manipulate or deceive people into taking action       Information Assurance Awareness Training\n           that is inconsistent with DHS policies, such as          (IAAT) \xe2\x80\x93 which is a requirement for all ICE\n           divulging sensitive information or allowing/enabling     employees. The IAAT should continue to stress\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 124\n\x0c                                                                                                                             Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                 New     Repeat   Severity\n                               Condition                                          Recommendation\n #No                                                                                                                 Issue    Issue    Rating\n           computer system access. The term typically applies        social engineering risks and greater outreach\n           to trickery or deception for the purpose of               should be achieved.\n           information gathering, or computer system access.\n\n           During the course of our social engineering test work,\n           the objective was primarily focused on attempting to\n           identify user IDs and passwords. Posing as DHS\n           technical support employees, attempts were made to\n           obtain this type of account information by contacting\n           randomly selected employees by telephone. A script\n           was used to ask for assistance from the ICE user in\n           resolving a network issue in the component. For\n           each person we attempted to call, we noted whether\n           the individual was reached and whether we obtained\n           any information from them that should not have been\n           shared with us according to DHS policy. Our\n           selection of desks and offices was not statistically\n           derived, and therefore we are unable to project results\n           to the component or department as a whole.\n\n          During the FY 2010 financial statement audit, we\n          learned that ICE continues to promote security\n          awareness training by distributing a weekly newsletter\n          to employees and contractors about security\n          awareness. However, KPMG found that the prior year\n          security weakness still exists.\nICE-IT-   We performed after-hours physical security testing to      Security Awareness is covered in the Annual      X                   3\n 10-10    identify risks related to non-technical aspects of IT      IAAT \xe2\x80\x93 which is a requirement for all ICE\n          security. These non-technical IT security aspects          employees. The IAAT should continue to stress\n          include physical access to equipment that houses           security awareness risks and greater outreach\n          financial data and information residing on an ICE          should be achieved.\n          employee\xe2\x80\x99s desk which could be used by others to\n          inappropriately access financial information. The\n          testing was performed at various ICE locations that\n          process and/or maintain component financial data.\n          After gaining access to the facilities via an ICE\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 125\n\x0c                                                                                                                                   Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n NFR                                                                                                                       New     Repeat   Severity\n                                Condition                                           Recommendation\n #No                                                                                                                       Issue    Issue    Rating\n          employee designated to assist with and monitor our\n          testwork, we inspected a random selection of desks\n          and offices looking for items such as improper\n          protection of system user names and passwords,\n          unsecured       information       system      hardware,\n          documentation containing PII or marked FOUO, and\n          unlocked network sessions. Our selection of desks\n          and offices was not statistically derived, and therefore\n          we are unable to project results to the component or\n          department as a whole. For each location visited, we\n          noted the type of unsecured information or property\n          we identified and included the total exceptions noted\n          by location, as well as by type of information or\n          property identified.\n\n          During the FY 2010 financial statement audit, we\n          learned that ICE continues to promote security\n          awareness training and distributes a weekly newsletter\n          to employees and contractors about security\n          awareness. However, KPMG found that security\n          weaknesses still exist.\nICE-IT-   In FY 2009, we found that ICE lacked policies and           OCIO will provide management oversight and                     X          2\n 10-11    procedures requiring completion of a training program       guidance for training personnel with significant\n          by personnel in IT security positions.                      responsibilities for information security.\n          During the FY 2010 financial statement audit, we\n          learned that to correct the prior year NFR, ICE follows\n          DHS 4300A policy for training personnel in IT\n          security positions, therefore, this portion of the NFR is\n          closed. However, during our testwork we determined\n          that weaknesses still exist over training personnel in\n          IT security positions. Specifically, we determined that\n          27 out of 45 IT security personnel have not completed\n          specialized training.\n\nICE-IT-   During the FY 2010 financial statement audit, KPMG          ICE should ensure that re-entry procedures are        X                   2\n 10-12    determined that physical safeguard weaknesses exist at      properly documented at the Clarksville data center\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 126\n\x0c                                                                                                                                 Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                     New     Repeat   Severity\n                               Condition                                          Recommendation\n #No                                                                                                                     Issue    Issue    Rating\n          the DC2 datacenter. Specifically, we determined the       and make certain that          servers   are   not\n          following:                                                inappropriately identified.\n               \xef\xbf\xbd Re-entry procedures after an emergency have\n                  been implemented, however, the procedures\n                  are not documented.\n               \xef\xbf\xbd FFMS server is inappropriately marked with\n                  a label that identifies the application/data on\n                  the server.\n\nICE-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment           ICE should take the necessary steps to begin          X                   3\n 10-13    efforts of ICE\xe2\x80\x99s FFMS network, servers and databases      examining the default configuration installations\n          performed in August 2010, KPMG identified several         and system services installed on FFMS devices\n          High/ Medium Risk vulnerabilities, related to             and determine if the default configurations can be\n          configuration management such as:                         set to increase FFMS\xe2\x80\x99s security or, in the case of\n          \xef\xbf\xbd Hot Standby Router Protocol (HSRP) default              unnecessary system services, deleted to reduce\n              installation on Cisco routers and switches            FFMS vulnerability to attack.\n          \xef\xbf\xbd Default \xe2\x80\x9cOracle Listener Program (tnslsnr)\xe2\x80\x9d\n              service password on server installation\n          \xef\xbf\xbd Outdated Microsoft Operating Systems\n          \xef\xbf\xbd Bonjour (also known as ZeroConf or mDNS)\n              listening protocol\n          \xef\xbf\xbd Remote web server HTML form fields transmits\n              data in clear text\n\nICE-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment           ICE should take the necessary steps to begin          X                   3\n 10-14    efforts of ICE\xe2\x80\x99s FFMS network servers and databases       applying the appropriate FFMS database patches\n          performed in August 2010, KPMG identified several         to ensure patch compliance.\n          High/ Medium Risk vulnerabilities, related to several\n          configuration and patch management weaknesses\n          within the configuration of the FFMS ICE and CIS\n          Oracle database instances such as:\n          \xef\xbf\xbd Clear text passwords stored in database\n          \xef\xbf\xbd Outdated patches\n          \xef\xbf\xbd Table security configurations\n          \xef\xbf\xbd User account privileges\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 127\n\x0c                                                                                                                           Appendix B\n                                                Department of Homeland Security\n                                            Information Technology Management Letter\n                                                       September 30, 2010\n\n NFR                                                                                                               New     Repeat   Severity\n                               Condition                                       Recommendation\n #No                                                                                                               Issue    Issue    Rating\n          \xef\xbf\xbd   Password settings for users and database\n\nICE-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment         ICE should take the necessary steps to begin      X                   3\n 10-15    efforts of ICE\xe2\x80\x99s FFMS network servers and databases     applying the appropriate FFMS patches to the\n          performed in August 2010, KPMG identified several       FFMS network servers and databases to ensure\n          High/ Medium Risk vulnerabilities, related to missing   patch compliance.\n          or inadequate patches such as:\n          \xef\xbf\xbd Microsoft Patches\n          \xef\xbf\xbd Adobe Reader\n          \xef\xbf\xbd Apache Tomcat\n          \xef\xbf\xbd Java Runtime Environment (JRE)\n          \xef\xbf\xbd Oracle Database (server installation)\n          \xef\xbf\xbd HP System Management\n          \xef\xbf\xbd Internet Explorer\n          \xef\xbf\xbd MySQL database\n\nICE-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment         ICE should ensure that password configuration     X                   3\n 10-16    efforts of ICE\xe2\x80\x99s ADEX network servers and devices       settings are properly and effectively applied.\n          performed in August 2010, KPMG identified a default\n          installation and configurations for the HSRP on the\n          Cisco routers.\n\n\n\n\n                   Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                      Page 128\n\x0c                                                                              Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n            Department of Homeland Security\n FY 2010 Information Technology - Notice of Findings and\n               Recommendations \xe2\x80\x93 Detail\n\n                \xef\xbf\xbd Office of Financial Management\n               \xef\xbf\xbd Office of Chief Information Officer\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 129\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n                                         Notice of Findings and Recommendations \xe2\x80\x93 Detail\n                                                  Office of Financial Management\n                                                Office of Chief Information Officer\n\n NFR                                                                                                                       New     Repeat   Severity\n                                Condition                                          Recommendation\n #No                                                                                                                       Issue    Issue    Rating\n CONS-     During our follow-up on this prior year issue, we        We recommend that DHSNET logical access                          X         1\nIT-10-01   noted that the following password configurations for     configuration be aligned with DHS 4300A\n           the DHS Internet domain, which controls access to the    requirements concerning account lockout and\n           DHSTIER and CFO Vision, are not in compliance            workstation idle session termination.\n           with DHS 4300A requirements:\n           \xef\xbf\xbd The account lockout counter is configured to reset\n               after 30 minutes rather than (24 hours as required\n               by DHS policy; and\n           \xef\xbf\xbd Workstation idle sessions termination is\n               configured to lock workstations after 15 minutes\n               of inactivity rather than 5 as required by DHS\n               policy.\n OCIO-     DHS is in the process of becoming fully compliant        We recommend that the DHS OCIO:                                  X         2\nIT-10-01   with the Federal Desktop Core Configuration (FDCC)       \xef\xbf\xbd Finalize the DHS Hardening Guides for\n           security configurations. Each DHS component agency         Windows desktop operating systems and\n           has begun testing or implementing the FDCC security        distribute them to all DHS component agencies.\n           configurations; however, full compliance with FDCC       \xef\xbf\xbd Continue with the full implementation of\n           security configurations for all DHS components is not      FDCC security configurations across all DHS\n           planned to be completed until the end of FY 2011.          component agencies.\n\n OCIO-     During the FY 2010 financial statement, we noted two     DHS should revise the DHS Handbook for                  X                  1\nIT-10-02   weaknesses within DHS policies that require further      Safeguarding Sensitive PII to clarify that access to\n           evaluation and clarification. The following              PII be restricted to those with a need to know.\n           observations     were    noted    for    management\n           consideration over access to PII and Segregation of      DHS should revise DHS 4300A Policy and\n           Duties principles:                                       Handbook, 7.1.1, Section 5.3 Auditing, to clarify\n           \xef\xbf\xbd DHS Sensitive Systems Policy (DHS MD 4300A             that the review of logs should be independent\n               Section 3.14.1) refers to the DHS Handbook for       adhering to segregation of duties principles.\n               Safeguarding Sensitive PII. We found that section\n               2.4.4 is too broad when assessing that when PII is\n\n                      Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                         Page 130\n\x0c                                                                                                           Appendix B\n                                               Department of Homeland Security\n                                           Information Technology Management Letter\n                                                      September 30, 2010\n\nNFR                                                                                               New     Repeat   Severity\n                            Condition                                 Recommendation\n#No                                                                                               Issue    Issue    Rating\n          physically secure; all staff with access to the\n          workspace have a \xe2\x80\x9cneed to know\xe2\x80\x9d and can access\n          the PII.\n      \xef\xbf\xbd   A violation of segregation of duties exists within\n          the DHS 4300A Section Version 7.1.1, Section\n          5.3 Auditing. The policy allows the system\n          administrator to review the audit records for\n          financial systems or for systems hosting or\n          processing PII on a monthly basis. The review of\n          the audit logs should be independent (e.g., system\n          administrator of a separate application, security\n          administrator) since the system administrator\n          typically has full access rights and the authority to\n          make changes to the system that may go\n          unnoticed.\n\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 131\n\x0c                                                                             Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n            Department of Homeland Security\n FY 2010 Information Technology - Notice of Findings and\n               Recommendations \xe2\x80\x93 Detail\n\n            \xef\xbf\xbd Transportation Security Administration\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 132\n\x0c                                                                                                                                            Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n                                         Notice of Findings and Recommendations \xe2\x80\x93 Detail\n                                              Transportation Security Administration\n\n NFR                                                                                                                                New      Repeat   Severity\n                                   Condition                                               Recommendation\n #No                                                                                                                                Issue     Issue    Rating\nTSA-IT-   To complement our IT audit testing efforts as part of the FY      We recommend TSA in the area of physical                           X         1\n 10-01    2010 DHS Integrated Audit, we also performed social               Security to:\n          engineering and after hours physical security testing During      \xef\xbf\xbd Continue to execute the IT Security\n          our testing we identified the following                               Awareness Training program;\n                                                                            \xef\xbf\xbd Conduct         internal     Physical      Security\n          During our after-hours physical security testing, we identified       walkthrough on a bi-annual basis;\n          one instance of an unsecured laptop computer;\n                                                                            \xef\xbf\xbd Conduct one-on-one training with individuals\n                                                                                failing physical security after-hours testing;\n          During our social engineering testing, we were provided with\n          three user\xe2\x80\x99s passwords.                                           \xef\xbf\xbd Take administrative actions, if needed, on a\n                                                                                case-by-case basis; and\n                                                                            \xef\xbf\xbd TSA will conduct a communications campaign\n                                                                                to address the effects of improper handling of\n                                                                                Physical Security.\n\n                                                                            We recommend TSA in the area of social\n                                                                            engineering to:\n                                                                            \xef\xbf\xbd Continue to execute the IT Security\n                                                                                Awareness Training program;\n                                                                            \xef\xbf\xbd Conduct internal Social Engineering testing on\n                                                                                a quarterly basis;\n                                                                            \xef\xbf\xbd Conduct one-on-one training with individuals\n                                                                                failing social engineering attempts.\n                                                                            \xef\xbf\xbd TSA will take administrative actions, if\n                                                                                needed, on a case-by-case basis.\n                                                                            \xef\xbf\xbd TSA will conduct a communications campaign\n                                                                                via broadcast warning against social\n                                                                                engineering.\nTSA-IT-   Core Accounting System (CAS) & Financial Procurement              We recommend TSA to take the following                             X         2\n 10-02    Desktop (FPD)                                                     corrective actions:\n          During our FY 2010 IT test work, we determined that TSA           CAS/FPD:\n          had created an Internal Standard Operating Procedure (ISOP)\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 133\n\x0c                                                                                                                                    Appendix B\n                                             Department of Homeland Security\n                                         Information Technology Management Letter\n                                                    September 30, 2010\n\nNFR                                                                                                                         New      Repeat   Severity\n                               Condition                                             Recommendation\n#No                                                                                                                         Issue     Issue    Rating\n      to detail how quarterly access reviews were to be performed.     \xef\xbf\xbd   Have FINCEN update its helpdesk procedures\n      We compared a listing of TSA CAS and FPD users to the                to provide the correct guidelines so that its\n      master listing of users who needed modifications or deletions        helpdesk staff will no longer grant additional\n      for three quarters (Q1, Q2, and Q3). We did not identify any         Standard FPD roles that were not requested on\n      exceptions for Q1 and Q2; however, for the 3rd quarter, one          Account Access Request (AAR). TSA should\n      CAS user was not deleted or modified within 50 days after the        closely monitor the requests implemented by\n      end of the completion of the 3rd quarter. In addition, we            FINCEN to ensure that the updated procedures\n      noted 115 FPD users were not deleted or modified within 51           are being followed.\n      days after the completion of the 3rd quarter.                    \xef\xbf\xbd   TSA should improve the timeline and process\n                                                                           of its Quarterly Review. TSA should update\n      Sunflower                                                            its procedures to monitor the timeliness,\n      During our FY 2010 test work, we determined that the Office          accuracy and quality of the Quality Review\n      of Property Management (OPM) performs monthly access                 process.\n      reviews over Sunflower user accounts. OPM runs three                     a.      Update Quarterly Review ISOP to\n      Sunflower reports each month, and the Deputy Property                            add the expected timeline to\n      Management Officials (DPMOs) and OPM Access Manager                              complete the quarterly review.\n      review the reports and provide dates and initials by each user           b.      Conduct timely follow-up and\n      reviewed. However, for the three months sampled, we                              review of the actual FINCEN\n      determined that three Sunflower users, who had update                            implementation of the AARs to\n      privileges, had not had their access removed in a timely                         ensure that the AARs were\n      manner. All users were reviewed in January, but two were                         implemented as requested.\n      not removed until July, and the other user was not removed\n                                                                       \xef\xbf\xbd   TSA should work with FINCEN to identify\n      until August.\n                                                                           and implement the best solution to remove the\n                                                                           one Sunflower role from the user\xe2\x80\x99s profile.\n                                                                       \xef\xbf\xbd   TSA should work with FINCEN to research\n                                                                           and identify options to enhance the automated\n                                                                           AAR process.\n\n                                                                       Sunflower:\n                                                                       \xef\xbf\xbd TSA will provide more training and oversight\n                                                                          for any new access manager to ensure the\n                                                                          process is thoroughly followed.\n                                                                       \xef\xbf\xbd TSA will closely monitor and follow-up with\n                                                                          FINCEN to ensure requests are implemented\n                                                                          timely and correctly.\n                Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                   Page 134\n\x0c                                                                                                                                         Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                             New      Repeat   Severity\n                                   Condition                                              Recommendation\n #No                                                                                                                             Issue     Issue    Rating\n                                                                           \xef\xbf\xbd    TSA will review and identify alternate\n                                                                                reporting processes in cases of technical\n                                                                                difficulties where supervisors cannot access\n                                                                                the master files on SharePoint.\nTSA-IT-   During our FY 2010 audit test work, we selected a sample of      We recommend that TSA take the following                         X         1\n 10-03    the following forms required by the TSA directive and            corrective action:\n          determined the following:                                        Supervisors and Contracting Officer\xe2\x80\x99s Technical\n          \xef\xbf\xbd Form 1403 Computer Access Agreement: Per the TSA               Representatives within each program office in\n               IT Security Policy Handbook, all TSA personnel,             TSA should ensure, as required by the IT Security\n               including contractors, are required to review and sign      Policy Handbook, that evidence be maintained on\n               Form 1403: Computer Access Agreement upon                   file for each TSA employee and contractor the\n               commencement of working for the agency. Our testing         Computer Access Agreement form, signed prior to\n               noted that of the five forms sampled, one form was          any financial system access is granted.\n               completed one month after the user was granted access to\n               a TSA system.\nTSA-IT-   During the FY 2010 IT audit, we determined that TSA has          We recommend that TSA work with the DHS                X                   2\n 10-04    fully implemented the TSA ISOP: Process for Validation of        Chief Financial Officer and the DHS Chief\n          Controls over the USCG Script Process to monitor scripts run     Information Officer to ensure that Coast Guard\n          at FINCEN.                                                       Headquarters\' completes, in a timely manner, the\n                                                                           planned corrective actions to:\n          Specifically, we noted that TSA has implemented an               \xef\xbf\xbd Update the scripting policies and procedures\n          extensive review of the scripts that impact TSA on a weekly,         to include additional and more detailed test\n          monthly, quarterly and ad hoc basis. Additionally, a baseline        documentation;\n          review was performed to ensure that all scripts that were run    \xef\xbf\xbd Develop training that addresses all aspects of\n          in production prior to 4/1/2010, this was approximately 160          script testing (including documentation of test\n          scripts and that they were reviewed for their purpose and the        documents) and provide training to\n          financial impact of the scripts were understood by the various       appropriate CM staff;\n          stakeholders in the script review process, which included the\n                                                                           \xef\xbf\xbd Develop an RP with associated supporting\n          Script Technical Lead, Script Module Leads (SMLs), and\n                                                                               business case(s) to address the database audit\n          Subject Matter Experts (SMEs). Any script that was not\n                                                                               logging requirements;\n          included in the baseline review was considered new and was\n          included in the weekly, monthly, quarterly and ad hoc review     \xef\xbf\xbd   Develop procedures and perform regular\n          process. The reviews conducted by TSA included validation            account revalidation for Serena to ensure\n          and verification steps to ensure that the Coast Guard is             privileges remain appropriate; and\n          properly tracking the TSA scripts and that those scripts go      \xef\xbf\xbd   Conduct an assessment over the ICFOR\n          through the proper configuration management processes.               process related to identifying and evaluating\n                    Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                       Page 135\n\x0c                                                                                                                                        Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                                                             New      Repeat   Severity\n                               Condition                                               Recommendation\n#No                                                                                                                             Issue     Issue    Rating\n                                                                            scripts that have a financial statement impact.\n      We noted no exceptions during our testing of the TSA Script           This assessment can be included in the\n      Configuration Management Oversight Process.                           Configuration Management Oversight Process\n                                                                            as part of Coast Guard\xe2\x80\x99s annual A-123 efforts\n      Configuration Management Controls Over the Coast Guard                or performed independent of the A-123\n      Scripting Process                                                     process. We recommend that this assessment\n                                                                            (1) be performed early in the FY 2011, in time\n      The analysis conducted over the Coast Guard script                    to remediate deficiencies before the end of the\n      configuration management process reflects the assessment of           third quarter, and (2) involve process\n      the control environment for the entire fiscal year.                   documentation and sufficient testing to fully\n      Weaknesses identified over the process are risks that existed         assess both design and operating effectiveness\n      in the environment from October 2009 to September 2010                of controls. The objective being to have a\n      unless otherwise noted.                                               reliable process and internal controls in place\n                                                                            that allow the auditor to test, and rely on those\n      \xef\xbf\xbd   Based upon follow-up test work performed in FY 2010,              controls, during the fourth quarter of FY 2011.\n          we determined that some previously noted weaknesses\n          were remediated (particularly in the second half of FY        TSA Specific Recommendation:\n          2010), while other control deficiencies continued to exist.\n          The remaining control deficiencies that were present          Continue to conduct an assessment over the\n          throughout FY 2010 vary in significance, however three        ICFOR process related to identifying and\n          key areas that impact the Coast Guard Script control          evaluating scripts that have a financial statement\n          environment are: 1) Script Testing Requirements, 2)           impact. Findings will be communicated and\n          Script Testing Environment, and 3) Script Audit Logging       coordinated with USCG, as appropriate. This\n          Process.                                                      assessment can be included in the testing of the\n                                                                        TSA Script Configuration Management Oversight\n          -   Script Testing Requirements:        Limited testing       Process as part of TSA\xe2\x80\x99s annual A-123 efforts.\n              requirements exist to guide FINCEN staff in the           Further, we recommend that this assessment (1) be\n              development of test plans and guidance over the           performed early in the FY 2011, in time to\n              functional testing that should be performed.              remediate deficiencies before the end of the third\n              Additionally, we determined that there are no             quarter, and (2) involve process documentation\n              detailed requirements over the review and testing of      and sufficient testing to fully assess both design\n              functional changes to the data. FINCEN only tracks        and operating effectiveness of controls. The\n              and documents the number of transactions updated          objective being to have a reliable process and\n              on scripts that have a financial impact and not the       internal controls in place that allow the auditor to\n              detailed dollar amounts associated with the financial     test, and rely on those controls, during the fourth\n              impact transactions.                                      quarter of FY 2011.\n\n                Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                   Page 136\n\x0c                                                                                                             Appendix B\n                                            Department of Homeland Security\n                                        Information Technology Management Letter\n                                                   September 30, 2010\n\nNFR                                                                                                  New      Repeat   Severity\n                              Condition                                  Recommendation\n#No                                                                                                  Issue     Issue    Rating\n          -   Script Testing Environment: Not all script changes\n              were tested in the appropriate CAS Suite test\n              environments as required. FINCEN management\n              informed us that the testing environments, CAS4 and\n              LUFSFQT3, were offline for these exceptions due to\n              a refresh of the databases and that testers used CAS3\n              and Alpha as alternate testing environments instead.\n              However, FINCEN management informed KPMG\n              that these environments are refreshed on an as\n              needed basis and no further information could be\n              provided over how frequently the CAS3 and Alpha\n              databases were refreshed to verify that the scripts\n              were adequately tested in the appropriate\n              environment. Furthermore, we determined that\n              guidance is not provided over the use of alternate\n              testing environments for the testing of scripts to\n              ensure they are adequately tested.\n          -   Script Audit Logging Process: The CAS, FPD, and\n              Sunflower databases are logging changes to tables as\n              well as successful and unsuccessful logins.\n              However, no reconciliation between the scripts run\n              and the changes made to the database tables is being\n              performed to monitor the script activities and ensure\n              that all scripts run have been approved through\n              change management script system (CMSS) or\n              Serena. In addition, we noted that FINCEN has not\n              established a formal process to monitor and review\n              changes made to the Sunflower database including\n              the tables and activities modified by the database\n              administrators.\n      Internal Control Over Financial Reporting \xe2\x80\x93 Financial\n      Statement Impact.\n      The USCG has established certain processes to identify and\n      assess the validity of scripts that may have a financial\n\n                Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                   Page 137\n\x0c                                                                                                              Appendix B\n                                              Department of Homeland Security\n                                          Information Technology Management Letter\n                                                     September 30, 2010\n\nNFR                                                                                                   New      Repeat   Severity\n                               Condition                                   Recommendation\n#No                                                                                                   Issue     Issue    Rating\n      statement impact [on both USCG and TSA financial\n      statements]. This process is performed by one primary\n      individual, and two identified backup personnel, who\n      performs a review of the script for accuracy and propriety,\n      provides feedback to the source, and ultimately approves the\n      application. This process has certain control deficiencies that\n      have been communicated to USCG (see NFR # CG-IT-10-\n      05), which have lead, in part, to TSA\xe2\x80\x99s adoption of certain\n      redundant controls to review TSA scripts for propriety.\n      Furthermore, the rationale documenting the impact of the\n      script, whether deemed as having financial impact or not, is\n      not documented and retained. In addition, within the CAS\n      Suite environment, there are over 200 scripts run on a weekly\n      basis. During FY 2010, through this review TSA has\n      discovered various errors that USCG was required to correct.\n      The exceptions noted by TSA are indicative of weaknesses in\n      the USCG process.\n      We also consider this control aspect to be principally\n      important for TSA to monitor Coast Guard\xe2\x80\x99s corrective\n      actions taken. In addition, TSA should consider, as part of\n      their annual A-123 efforts, adding their own A-123 testing\n      procedures in identifying and evaluating the financial impact\n      of TSA scripting at the Coast Guard.\n\n\n\n\n                 Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                    Page 138\n\x0c                                                                             Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n              Department of Homeland Security\n              FY 2010 Information Technology\n   Notification of Findings and Recommendations \xe2\x80\x93 Detail\n\n\n       \xef\xbf\xbd   United States Citizenship and Immigration Services\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 139\n\x0c                                                                                                                                  Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n                                        Notice of Findings and Recommendations \xe2\x80\x93 Detail\n                                       United States Citizenship and Immigration Services\n\n NFR                                                                                                                     New     Repeat   Severity\n                               Condition                                          Recommendation\n #No                                                                                                                     Issue    Issue    Rating\nCIS-IT-   During the FY 2010 financial statement audit, we         The USCIS Office of Information Technology will                 X         3\n 10-01    performed inquiry follow-up to determine the status of   finalize the CLAIMS 3 LAN Account\n          this weakness and learned that the access roles at the   Management Procedures that address account\n          National Benefits Center (NBC) for CLAIMS3 LAN           identification,    set-up,    recertification, and\n          have not be defined and documented. USCIS has            termination and access request form maintenance.\n          begun some corrective action; however, these issues      These procedures reflect how all CLAIMS 3 LAN\n          have not been fully remediated.                          accounts will be managed at each facility that\n                                                                   utilizes the CLAIMS 3 LAN.\nCIS-IT-   During the FY 2010 financial statement audit, we         The USCIS OIT will continue to review CLAIMS                    X         3\n 10-02    performed inquiry follow-up to determine the status of   3 LAN accounts for those that have been inactive\n          this weakness and learned that the weakness has not      for 45 days manually and to remove user\xe2\x80\x99s that\n          been remediated for CLAIMS3 LAN periodic user            appear on the Office of Human Capital and\n          access reviews. USCIS has begun some corrective          Training (HCT) attrition bi-weekly list. OIT will\n          action; however, these issues have not been fully        finalize the CLAIMS 3 LAN Account\n          remediated.                                              Management Procedures that address account\n                                                                   identification,    set-up,    recertification, and\n                                                                   termination and access request form maintenance.\n                                                                   OIT will continue to work with the OIT Account\n                                                                   Management Group, the IT Project Manager and\n                                                                   each installation site to recertify CLAIMS 3 LAN\n                                                                   accounts and ensure a current and valid access\n                                                                   request form is filed. OIT will continue to work\n                                                                   with HCT to ensure their exit clearance process\n                                                                   includes procedures to promptly notify OIT when\n                                                                   employees leave or transfer. OIT will also finalize\n                                                                   the USCIS Account Management, Management\n                                                                   Directive (Agency Policy).\nCIS-IT-   During the FY 2010 financial statement audit, we         The USCIS OIT will finalize the CLAIMS 3 LAN                    X         2\n 10-03    performed inquiry follow-up to determine the status of   and CLAIMS 4 Account Management Procedures\n          the prior year NFR and learned that the weakness still   that address account identification, set-up,\n          exist for incomplete or inadequate access request        recertification, and termination and access request\n          forms for CLAIMS 3 LAN and CLAIMS 4. USCIS               form maintenance. OIT will continue to work\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 140\n\x0c                                                                                                                                    Appendix B\n                                                  Department of Homeland Security\n                                              Information Technology Management Letter\n                                                         September 30, 2010\n\n NFR                                                                                                                       New     Repeat   Severity\n                               Condition                                           Recommendation\n #No                                                                                                                       Issue    Issue    Rating\n          has begun some corrective action; however, these          with the OIT Account Management Group, the IT\n          issues have not been fully remediated.                    Project Manager and each installation site to\n                                                                    recertify CLAIMS 3 LAN and CLAIMS 4\n                                                                    accounts and ensure a current and valid access\n                                                                    request form is filed.\nCIS-IT-   In FY 2009, KPMG performed an inspection of a             We recommend USCIS management issue and                          X         2\n 10-04    sample of personnel that had terminated/transferred       adhere to exit clearance policies and procedures to\n          from their employment with USCIS during the fiscal        be followed in the event of transfer, termination or\n          year. KPMG requested evidence that exit clearance         separation of federal and contract personnel.\n          forms were completed for each employee to determine       Resources should be made available to\n          USCIS        management\xe2\x80\x99s       compliance       with     communicate the updated procedures to personnel,\n          termination/transfer procedures.        Of the 28         train mission support staff who have a critical role\n          terminated/transferred USCIS personnel sampled,           in the updated process, and enforce and monitor\n          evidence of compliance with exit clearance procedures     compliance with the exit procedures and policies.\n          could not be provided for 19 employees.\n\n          During the FY 2010 financial statement audit, we\n          learned that USCIS Human Resource Division revised\n          the existing terminated/transferred procedures for exit\n          processing; however, the procedures have not been\n          approved nor implemented.\nCIS-IT-   During the FY 2010 financial statement audit, we          The USCIS OIT will finalize the USCIS Media                      X         1\n 10-05    performed inquiry follow-up to determine the status of    Protection Management Directive and the USCIS\n          this weakness and learned that equipment and media        Media Protection Procedures and ensure they are\n          policies and procedures are not current. USCIS has        readily available to USCIS personnel. OIT will\n          begun some corrective action; however, these issues       continue to work with the Office of Administration\n          have not been fully remediated.                           to ensure there is a standardize process to label,\n                                                                    track, sanitize, refurbish, and/or destroy USCIS\n                                                                    media using approved equipment and software.\n\nCIS-IT-   During KPMG\xe2\x80\x99s internal vulnerability assessment of        USCIS will monitor the Mission Action Plans             X                  3\n 10-06    FFMS performed in August 2010, KPMG identified            (MAP) of the associated ICE NFRs: IT-10-12, IT-\n          several High/ Medium Risk vulnerabilities, related to     10-13, IT-10-14, IT-10-15 and request periodic\n          the following:                                            status updates.\n          \xef\xbf\xbd FFMS mainframe production databases were\n               installed and configured without baseline security\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 141\n\x0c                                                                                                                                    Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\n NFR                                                                                                                       New     Repeat   Severity\n                               Condition                                            Recommendation\n #No                                                                                                                       Issue    Issue    Rating\n              configurations, including the USCIS Oracle\n              instance\n          \xef\xbf\xbd   FFMS servers have missing or inadequate patches\n\n          In addition, we found physical safeguard weaknesses\n          at the DHS DC2 data center, which impact USCIS\n          operations. Specifically, we determined the following:\n          \xef\xbf\xbd Re-entry procedures after an emergency have\n                been implemented; however, the procedures are\n                not documented.\n          \xef\xbf\xbd FFMS server is inappropriately marked with a\n                label that identifies the application/data on the\n                server.\nCIS-IT-   During the FY 2009 financial statement audit, KPMG         The USCIS OIT will continue to evaluate the risk                X         2\n 10-07    performed inspection of the CLAIMS 4 password              imposed on the CLAIMS 4 system by not\n          configuration settings. Per our inspection, KPMG           changing the password history from 6 to 8. If it is\n          determined that CLAIMS 4 has been configured to            deemed that the risk is low, OIT will submit a\n          prohibit password reuse for 6 generations, which does      Waivers and Exceptions Request Form to the DHS\n          not meet the DHS 4300A requirement of 8 password           CISO. If the risk is deemed medium or high, OIT\n          generations. During the FY 2010 financial statement        will continue to implement the password changes\n          audit, we performed inquiry follow-up to determine         as outlined in the FY 2009 USCIS OIT MAP.\n          the status of this weakness and learned that the\n          weakness has not been remediated for CLAIMS4\n          password configuration. USCIS has begun some\n          corrective action; however, these issues have not been\n          fully remediated.\nCIS-IT-   During the FY 2010 financial statement audit, we           The USCIS OIT will continue to finalize the                     X         1\n 10-08    performed inquiry follow-up to determine the status of     Media Protection Procedures for the Vermont\n          this weakness and learned that ineffective safeguards      Service Center. OIT will test VSC\xe2\x80\x99s OIT Visitor\n          still exist over physical access to sensitive facilities   Policy and Procedures to ensure they address the\n          and resources. USCIS has begun some corrective             physical security concerns listed in the condition\n          action; however, these issues have not been fully          statement.\n          remediated.\nCIS-IT-   In FY 2009, we determined that the USCIS lacks             OIT will continue to finalize the USCIS Audit and               X         2\n 10-09    policies and procedures over audit logging of              Accountability Management Directive and\n          application and server audit logs for CLAIMS 3 LAN         implement enterprise audit logging software. OIT\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 142\n\x0c                                                                                                                                Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                   New     Repeat   Severity\n                               Condition                                         Recommendation\n #No                                                                                                                   Issue    Issue    Rating\n          and CLAIMS 4 system. Specifically, we learned that       will ensure CLAIMS 3 LAN and CLAIMS 4 audit\n          CLAIMS3 LAN generates audit logs; however, the           logs are provided to the enterprise audit logging\n          USCIS does not require that the logs are reviewed or     software for analysis. Once the integration of\n          maintained. In addition, we determined that the          CLAIMS 3 LAN and CLAIMS 4 and the\n          USCIS does not have policies or procedures in place      enterprise audit logging software is complete,\n          for maintaining and reviewing the audit logs. For        develop CLAIMS 3 LAN and CLAIMS 4 audit\n          CLAIMS4, we noted that Computer Service                  and accountability procedures.\n          Corporation (CSC) contractors capture and review the\n          logs of user access to CLAIMS4; however, no reviews\n          of significant changes in the application or to system\n          files are conducted. Additionally, no policies or\n          procedures have been established for conducting and\n          monitoring the audit log reviews.\n\n          During the FY 2010 financial statement audit, we\n          learned that USCIS has begun some corrective action;\n          however, these issues have not been fully remediated.\n          Therefore, this finding is being reissued.\nCIS-IT-   During the FY 2010 financial statement audit, we         The USCIS Office of Information Technology                    X         2\n 10-10    performed inquiry follow-up to determine the status of   (OIT) will finalize the CLAIMS 4 Account\n          this weakness and learned that weak logical access       Management Procedures that address account\n          controls still exist over CLAIMS 4. USCIS has begun      identification,  set-up,   recertification,   and\n          some corrective action; however, these issues have not   termination and access request form maintenance.\n          been fully remediated.                                   OIT will continue to work with the OIT Account\n                                                                   Management Group, the IT Project Manager and\n                                                                   each installation site to recertify CLAIMS 4\n                                                                   accounts and ensure a current and valid access\n                                                                   request form is filed. OIT will also finalize the\n                                                                   USCIS Account Management, Management\n                                                                   Directive (Agency Policy).\n\n                                                                   OIT will continue to review CLAIMS 4 accounts\n                                                                   for those that have been inactive for 45 days\n                                                                   manually and to remove users that appear on the\n                                                                   Office of HCT attrition bi-weekly list. OIT will\n                                                                   continue to work with HCT to ensure their exit\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 143\n\x0c                                                                                                                                   Appendix B\n                                                 Department of Homeland Security\n                                             Information Technology Management Letter\n                                                        September 30, 2010\n\n NFR                                                                                                                      New     Repeat   Severity\n                               Condition                                          Recommendation\n #No                                                                                                                      Issue    Issue    Rating\n                                                                   clearance process includes procedures to promptly\n                                                                   notify OIT when employees leave or transfer.\n\n                                                                   The HCT must finalize Exit Clearance Process\n                                                                   policies and procedures and ensure that these\n                                                                   documents are disseminated agency-wide.\n                                                                   Specifically, ensure that contracting officers,\n                                                                   contacting officers\xe2\x80\x99 technical representatives,\n                                                                   managers and supervisors are informed about these\n                                                                   documents and understand their importance.\n\nCIS-IT-   During the FY 2010 financial statement audit, we         The USCIS OIT will continue to review CLAIMS                     X         2\n 10-11    performed inquiry follow-up to determine the status of   3 LAN accounts for those that have been inactive\n          this weakness and learned that CLAIMS3 LAN still         for 45 days manually and to remove user\xe2\x80\x99s that\n          lacks policy and procedures for separated employees.     appear on the Office of HCT attrition bi-weekly\n          USCIS has begun some corrective action; however,         list. OIT will finalize the CLAIMS 3 LAN\n          these issues have not been fully remediated.             Account Management Procedures that address\n                                                                   account identification, set-up, recertification, and\n                                                                   termination and access request form maintenance.\n                                                                   OIT will continue to work with HCT to ensure\n                                                                   their exit clearance process includes procedures to\n                                                                   promptly notify OIT when employees leave or\n                                                                   transfer.    OIT will also finalize the USCIS\n                                                                   Account Management Directive (Agency Policy).\n\n                                                                   The HCT must finalize Exit Clearance Process\n                                                                   policies and procedures and ensure that these\n                                                                   documents are disseminated agency-wide.\n                                                                   Specifically, ensure that contracting officers,\n                                                                   contacting officers\xe2\x80\x99 technical representatives,\n                                                                   managers and supervisors are informed about these\n                                                                   documents and understand their importance.\nCIS-IT-   During the FY 2010 financial statement audit, we         For initial information security awareness training,             X         2\n 10-12    learned that the IT security awareness training          OIT will continue to update and provide training\n          weakness has not been remediated, therefore, this        materials for the Office of HCT New Employee\n          finding was reissued.                                    Orientation Program (NEOP). The HCT should\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 144\n\x0c                                                                                                                                 Appendix B\n                                                   Department of Homeland Security\n                                               Information Technology Management Letter\n                                                          September 30, 2010\n\n NFR                                                                                                                    New     Repeat   Severity\n                               Condition                                           Recommendation\n #No                                                                                                                    Issue    Issue    Rating\n                                                                     continue to implement the NEOP agency-wide.\n                                                                     HCT must provide OIT a monthly report of all\n                                                                     new hires and the date they completed initial\n                                                                     information security awareness training during\n                                                                     NEOP.\n                                                                     For annual information security awareness\n                                                                     refresher training, OIT will continue to use the\n                                                                     Department of Status (DOS) Computer Security\n                                                                     Awareness Training (CSAT) tool to provide\n                                                                     information security awareness training to all\n                                                                     USCIS employees with access to agency\n                                                                     information systems.\nCIS-IT-   During roll forward testing for the FY 2010 financial      The Office of Information Technology will           X                  2\n 10-13    statement audit, KPMG performed inspection of              finalize and issue the USCIS MD on Information\n          Active Directory and Exchange (ADEX) access                System Account Management. The MD stipulates\n          request forms. Per our inspection, KPMG determined         polices on records management of access requests\n          that one out of the forty-five access forms requested      and standardizes the USCIS Network Access\n          was not provided. Additionally, three out of the forty-    Request Form.\n          five access forms requested were created on the same\n          day of the request.\nCIS-IT-   ICE - During KPMG\xe2\x80\x99s internal vulnerability                 USCIS will monitor the MAP of the associated                 X         3\n 10-14    assessment efforts of ICE\xe2\x80\x99s ADEX network servers           NFR# ICE-IT-10-16 and request periodic status\n          and devices performed in August 2010, KPMG                 updates.\n          identified a default installation and configurations for\n          the HSRP on the Cisco routers.\n          USCIS - Although USCIS does not have direct\n          responsibility for the controls over ADEX and ICE\n          financial applications, USCIS does have a\n          responsibility to proactively manage its service\n          provider relationship with ICE. USCIS should require\n          ICE to provide a detailed Corrective Action Plan\n          (CAP) containing the planned remediation of the\n          security vulnerabilities affecting USCIS data integrity.\n\n\n\n\n                     Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                                        Page 145\n\x0c                                                                                     Appendix B\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 146\n\x0c                                                                          Appendix C\n                        Department of Homeland Security\n                    Information Technology Management Letter\n                               September 30, 2010\n\n\n\n\n                                 APPENDIX C\nStatus of Prior Year Notices of Findings and Recommendations\n                      and Comparison to\nCurrent Year Notices of Findings and Recommendations at DHS\n\n\n\n\n Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                    Page 147\n\x0c                                                                                          Appendix C\n                                 Department of Homeland Security\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n\n                    Current Year Notices of Findings and Recommendations\n\n                                                                                     Disposition\n  NFR No.                              Description                             Closed         Repeat\n\nCBP-IT-09-03   Contractor Tracking Deficiencies                                  X\nCBP-IT-09-12                    Install                                                        10-11\nCBP-IT-09-13   Complete List of CBP Workstations                                               10-11\nCBP-IT-09-21   Review of Changes to Security Profiles in ACS                                   10-14\nCBP-IT-09-27                Administrator Access Authorization Weaknesses        X\nCBP-IT-09-29   Completion of CF-241 Forms for Terminated Employees                             10-09\nCBP-IT-09-34   Installation of Anti-Virus Protection                                           10-11\nCBP-IT-09-41   Weaknesses in the Process of Separating CBP Contractors                         10-08\nCBP-IT-09-44    Completion of Non Disclosure Agreements for US CBP                             10-10\n               Contractors\nCBP-IT-09-45   Log configuration weakness for                   System.          X\nCBP-IT-09-48   Lack of Effective ACS Access Change Log Review Procedures                       10-19\nCBP-IT-09-56   ACE Audit Log Reviews                                                           10-03\nCBP-IT-09-57   NDC LAN Audit Logs                                                X\nCBP-IT-09-58   Novell Password Settings                                          X\nCBP-IT-09-59   Formal Procedures for Mainframe System Utility Logs               X\nCBP-IT-09-60   Configuration for Mainframe Security Violation Control Option                   10-20\nCBP-IT-09-61   Completion of Initial Background Investigations and Periodic                    10-21\n               Background Reinvestigations for CBP Employees and Contractors\nCBP-IT-09-62   Rules of Behavior Not Consistently Signed by CBP Employees        X\n               and Contractors\nCBP-IT-09-63   ACE does not disable accounts after 45 days                       X\nCBP-IT-09-64   ACS PGA ISAs Not Completely Documented                                          10-16\nCBP-IT-09-65   Documentation of ACE Access Change Requests                                     10-06\nCBP-IT-09-66   Separated Employees on ACE Access Listing                                       10-01\nCBP-IT-09-67   Inadequate Documentation of ACS Access Change Requests                          10-17\nCBP-IT-09-68   Vulnerabilities in Configuration and Patch Management             X\nCBP-IT-09-69   Inadequate SAP Profile Change Review                              X\nCBP-IT-09-70   Overuse of ACS Emergency/Temporary Access Roles                   X\nCBP-IT-09-71   Inadequate Documentation of SAP Emergency/Temporary               X\n               Access Requests\nCBP-IT-09-72   ACE Segregation of Duties Controls are Not In Place                             10-02\nCBP-IT-09-73   Inadequate Documentation of ACE SCO Access Requests and           X\n               Approvals\nCBP-IT-09-74   Inadequate Protection of CBP Information and Property                           10-05\n                                                                                               10-07\n\nCG-IT-09-10    Contractor Background Investigation Weakness                                    10-02\n               Weaknesses with Specialized Role-based Training for                             10-10\nCG-IT-09-14    Individuals with Significant Security Responsibilities\nCG-IT-09-23    Shore Asset Management (SAM) Audit Log Review Weakness                         10- 22\nCG-IT-09-25    WINS Access Controls Need Strengthening                           X\nCG-IT-09-31    Weaknesses Exist in the Configuration Management Controls                       10-05\n\n\n        Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                           Page 148\n\x0c                                                                                         Appendix C\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2010\n\n               Over the Scripting Process\nCG-IT-09-32    Lack of Documented Contractor Tracking System Reconciliation          X\n               Procedures\nCG-IT-09-33    Lack of a Consistent Contractor, Civilian, and Military Account              10-01\n               Termination Process for Coast Guard Systems\nCG-IT-09-34    WINS Change Control Weakness                                          X\nCG-IT-09-40    Civilian Background Investigation Weakness                                   10-03\nCG-IT-09-42    Non-Compliance with Federal Financial Management                             10-24\n               Improvement Act (FFMIA) \xe2\x80\x93 Information Technology\nCG-IT-09-43    Recertification Weakness within the User Management System            X\n               (UMS)\nCG-IT-09-45    FINCEN data center access is not restricted to appropriately          X\n               authorized personnel\nCG-IT-09-46    Configuration and Patch Management - Vulnerability                    X\n               Assessment\nCG-IT-09-49    JUMPS Audit Log Review Weakness                                       X\nCG-IT-09-50    Audit Trail Weaknesses within the Direct Access Application                  10-28\nCG-IT-09-51    Audit Trail Weaknesses within the Global Pay Application              X\nCG-IT-09-52    Recertification Weakness within the Direct Access Application               10-12\nCG-IT-09-53    Security Awareness Issues Associated with the Protection of                 10-06\n               Sensitive Information\n\nCIS-IT-09-01   Inefficient definition and documentation of access roles at the              10-01\n               National Benefits Center for CLAIMS3 LAN\nCIS-IT-09-02   Periodic user access reviews are not performed for CLAIMS3                   10-02\n               LAN users.\nCIS-IT-09-03   Incomplete or inadequate access request forms for CLAIMS3                    10-03\n               LAN and CLAIMS4 system users.\nCIS-IT-09-04   Periodic Active Directory (ADEX) system administrator access          X\n               reviews are not performed at USCIS.\nCIS-IT-09-06   Weak data center access controls exist                                X\nCIS-IT-09-07   Equipment and media policies and procedures are not current.                 10-05\nCIS-IT-09-08   Weak access controls for security software exist within the           X\n               Password Issuance and Control System (PICS).\nCIS-IT-09-09   Weak access controls exist in CLAIMS3 LAN.                            X\nCIS-IT-09-10   Weak password configuration controls around CLAIMS4.                         10-07\nCIS-IT-09-11   Background investigations are not conducted in a timely manner.       X\nCIS-IT-09-12   Procedures for transferred/terminated personnel exit processing              10-04\n               are not finalized\nCIS-IT-09-13   Ineffective safeguards over physical access to sensitive facilities          10-08\n               and resources\nCIS-IT-09-14   Weak access controls exist within FFMS                                X\nCIS-IT-09-15   Lack of policies and procedures for CLAIMS 3 LAN and                         10-09\n               CLAIMS 4 audit logs\nCIS-IT-09-16   Weak logical access controls exist over CLAIMS 4                             10-10\nCIS-IT-09-17   Training for IT security personnel is not mandatory                   X\nCIS-IT-09-18   Lack of policies and procedures for separated CLAIMS3 LAN                    10-11\n               accounts\nCIS-IT-09-19   IT Security Awareness Training compliance is not monitored                   10-12\n\nCIS-IT-09-20   Default installation and configuration of Cisco routers on ICE               10-14\n\n\n        Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                           Page 149\n\x0c                                                                                   Appendix C\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n                Network Impact USCIS Operations.\n\nCONS-IT-09-13   Evidence of Security Management Review of DHSTIER\xe2\x80\x99s            X\n                Oracle Activity Audit Reports is Not Retained\nCONS-IT-09-14   CFO Vision Password Parameters are Not Configured in                  10-01\n                Accordance with DHS Policy\nCONS-IT-09-15   Operating System Patch Management Procedures for DHSTIER       X\n                and CFO Vision Not Documented.\nCONS-IT-09-16   Periodic Review of DHS Stennis Data Center Access Privileges   X\n                is Not Performed\n\nFEMA-IT-09-02   Configuration Management Weaknesses on IFMIS, NEMIS, and              10-41\n                Key Support Servers (vulnerability assessment finding)\nFEMA-IT-09-03   Weaknesses Exist over Recertification of Access to IFMIS             10-14\nFEMA-IT-09-06   Documentation Supporting the IFMIS User Functions Does Not           10-49\n                Exist\nFEMA-IT-09-12   NEMIS Access Controls Need Improvement                                10-01\nFEMA-IT-09-13   Employee Termination Process for Removing System Access               10-21\n                Should be More Proactive\nFEMA-IT-09-17   System Programmers Have the Ability to Migrate Code into the          10-39\n                IFMIS Production Environment\nFEMA-IT-09-19   Monitoring of NEMIS System Software Needs Improvement                 10-04\nFEMA-IT-09-22   Alternate Processing Site for NEMIS Has Not Been Established          10-02\nFEMA-IT-09-24   NEMIS Backups Are Not Tested in Accordance with Policy                10-36\nFEMA-IT-09-25   The NEMIS Contingency Plan Is Not Tested                              10-20\nFEMA-IT-09-28   NEMIS Configuration Management Process for Non-Emergency              10-62\n                Changes Needs Improvement\nFEMA-IT-09-29   NEMIS Emergency Change Process Needs Improvement                      10-62\nFEMA-IT-09-38   Segregation of Duties Not Enforced for Traverse                X\nFEMA-IT-09-39   Traverse Contingency Plan Not Tested and NFIP Disaster                10-61\n                Recovery and COOP Needs Improvement\nFEMA-IT-09-45   IFMIS User Access is not Managed in Accordance with Account           10-26\n                Management Procedures\nFEMA-IT-09-46   IFMIS System Interconnections Agreements Have Not Been         X\n                Reauthorized\nFEMA-IT-09-48   Corrective Action over NEMIS Vulnerabilities is Not Formally          10-33\n                Documented\nFEMA-IT-09-50   Weaknesses Exist over IFMIS Application and Database Audit            10-11\n                Logging\nFEMA-IT-09-51   NEMIS Oracle Audit Logging is Not Tracked                             10-09\nFEMA-IT-09-52   Existing NEMIS Patch Management Guidance Needs to be                  10-35\n                Implemented\nFEMA-IT-09-38   Segregation of Duties Not Enforced for Traverse                X\nFEMA-IT-09-39   Traverse Contingency Plan Not Tested and NFIP Disaster                10-61\n                Recovery and COOP Needs Improvement\nFEMA-IT-09-45   IFMIS User Access is not Managed in Accordance with Account           10-26\n                Management Procedures\nFEMA-IT-09-46   IFMIS System Interconnections Agreements Have Not Been         X\n                Reauthorized\nFEMA-IT-09-48   Corrective Action over NEMIS Vulnerabilities is Not Formally          10-33\n                Documented\n\n\n        Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                           Page 150\n\x0c                                                                                    Appendix C\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2010\n\nFEMA-IT-09-50    Weaknesses Exist over IFMIS Application and Database Audit            10-11\n                 Logging\nFEMA-IT-09-51    NEMIS Oracle Audit Logging is Not Tracked                             10-09\nFEMA-IT-09-52    Existing NEMIS Patch Management Guidance Needs to be                  10-35\n                 Implemented\nFEMA-IT-09-77    FEMA and NFIP Planning, Management and Communication                  10-47\n                 Related to Financial Systems Development and Acquisition\n                 Projects Needs to be Improved\nFEMA-IT-09-78    Weaknesses Exist in the NEMIS Configuration Management                10-62\n                 Process under the EADIS contract\nFEMA-IT-09-79    Weaknesses Exist over Management of FEMA LAN Accounts                 10-22\nFEMA-IT-09-80    Vulnerability Assessments of the NFIP LAN is Inadequate               10-52\nFEMA-IT-09-81    Improvements are Needed in Core and G&T IFMIS Internal                10-34\n                 Scanning Procedures and Processes\nFEMA-IT-09-82    Core and G&T IFMIS Patch Management Weaknesses                        10-32\nFEMA-IT-09-83    EADIS NEMIS Access Restrictions to Program Directories\n                                                                                       10-51\n                 Needs Improvement\nFEMA-IT-09-84    PARS Database Security Controls are Not Appropriately\n                 Established                                                           10-05\nFEMA-IT-09-85    TRRP Password Configurations have not been Configured in       X\n                 Accordance with DHS Policy\nFEMA-IT-09-86    Weaknesses Exist over the Implementation of Traverse System\n                                                                                       10-60\n                 Changes\nFEMA-IT-09-87    Weaknesses Exist in FEMA\xe2\x80\x99s Incident Response Program                  10-31\nFEMA-IT-09-88    Weaknesses exist over access authorizations for TRRP                  10-53\nFEMA-IT-09-89    Weaknesses exist over FEMA Background Investigations for\n                                                                                       10-45\n                 Federal Employees and Contractors\nFEMA-IT-09-90    FEMA LAN Certification and Accreditation Package is not\n                                                                                       10-28\n                 Adequate\nFEMA-IT-09-91    FEMA Contractor Tracking Program is Inadequate                        10-10\n\nFLETC-IT-09-03   Momentum System Software is Not Logged or Reviewed             X\nFLETC-IT-09-26   System Engineering Lifecycle (SELC) is not finalized           X\nFLETC-IT-09-31   Configuration Management Weaknesses on the Procurement         X\n                 Desktop, Momentum, and GSS.\nFLETC-IT-09-33   Momentum Audit Logs are not Reviewed                                  10-04\nFLETC-IT-09-34   GAN audit logs are not reviewed                                       10-05\nFLECT-IT-09-35   Weak access controls around Momentum                                  10-02\nFLETC-IT-09-36   Ineffective logical access controls over the Glynco                   10-03\n                 Administrative Network\nFLETC-IT-09-37   Physical Security and Security Awareness Issues Identified            10-06\n                 during Enhanced Security Testing\nFLETC-IT-09-38   Ineffective logical access controls over SIS                   X\n\n ICE-IT-09-11    Ineffective physical security controls at facility entrances   X\n ICE-IT-09-12    Ineffective/non-compliant account lockout counter settings     X\n ICE-IT-09-13    Ineffective password settings in FFMS                                 10-02\n ICE-IT-09-14    Ineffective ADEX user access recertification process           X\n ICE-IT-09-15    Ineffective FFMS access recertification process                       10-03\n ICE-IT-09-16    Terminated/transferred personnel are not removed from ADEX            10-06\n                 in a timely manner\n\n\n         Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                            Page 151\n\x0c                                                                                        Appendix C\n                                   Department of Homeland Security\n                               Information Technology Management Letter\n                                          September 30, 2010\n\nICE-IT-09-17    Segregation of duty policies are not enforced in FFMS                      10-04\nICE-IT-09-18    Background reinvestigations are not conducted in a timely           X\n                manner for contractors.\nICE-IT-09-19    Procedures for transferred/terminated personnel exit processing     X      10-01\n                are not allowed.\nICE-IT-09-20    Training for IT security personnel is not mandatory                        10-11\nICE-IT-09-21    Vulnerability Assessment - Network devices were installed with             10-13\n                default configuration settings and protocols; inadequate patches;         through\n                and weak/ generic passwords.                                               10-16\nICE-IT-09-22    Physical Security and Security Awareness Issues Identified                 10-09\n                during Enhanced Security Testing\nICE-IT-09-23    IT Security Awareness Training requirements are not enforced        X\n\nOCIO-IT-09-03   DHS has not fully implemented the FDCC security                           10-01\n                configurations requirements.\n\nTSA-IT-10-20    TSA Computer Access Agreement Process                                   TSA-IT-10-\n                                                                                           03\nTSA-IT-10-23    Configuration Management Controls Over the Coast Guard              X\n                Scripting Process (Included a specific TSA condition)\nTSA-IT-10-28    Physical Security and Security Awareness Issues Identified              TSA-IT-10-\n                during Enhanced Security Testing                                           01\nTSA-IT-10-29                                                                            TSA-IT-10-\n                CAS, FPD, and Sunflower Access Recertification\n                                                                                           02\n\n\n\n\n        Information Technology Management Letter for the FY 2010 Financial Statement Audit\n                                           Page 152\n\x0c                                                                                                                                            Appendix D\n                                  Department of Homeland Security\n                              Information Technology Management Letter\n                                         September 30, 2010\n\n\n                                                                                                  1 ".I)\'-Il;l.tllltni \xc2\xb7,fll,,""I"n.I .... llrlh\n                                                                                                  \\\\ ,L\'hill~l"n. 1)(   ~115:!X\n\n\n\n\n                                                                                                            Homeland\n                                                                                                            Security\n\n            \\lEMORAi\\l>l\'MI\'OR:                      Fr,1Jlk DeJ"ll-1\n                                                     Assistant !nspl.\';.:tor (il\'ncra!\n                                                     InljlrllWlio!l I ~dlllnJogy :\\udil"\n\n        FROM:                                        I\'C""\' Slwrn\n                                                     !\\ciin" Chid\n                                                             ~.\n                                                                          f~\n                                                                  I111t:llH.:mlr_                 .. r\n                                                                                     . <-\n                                                     Ricl1.ml     Spin.:~            ~\n                                                    (\'hier In rornVHion ()I lied\n\n                                                     Robcrt \\\\\'e,,1          \\:~    .... _ \'""-\n                                                    Chicr\' Illl: ml1.11inn Su;urity ()!Ti(Tl"\n\n        Slll.JLCT:                                  lJrart i\\udll I{,,\'porl . IIJ(imll(/{iui1 1(chn%gvlfut/agl..\'JIIl\'iIl\n                                                    I t\'ller /fw f-T JIJf{) IJI/S Financiol ,\\\'Ialenwnl (Ilidif J\'(J1"\n                                                    Official { \',e ( JUI.1\xc2\xb7 (( lfe .. PmiL\'u ,\\"0. (ll( ;-11\xc2\xb703 :-11:. /.\n                                                     \\f(;,\\.((;\n\n\n         \\\\ l,,\' 11;1\\"e I\\;\\\'i""\\\'cd thi,; OITi1.:e Drih...: 11lSPI.\'(ltIf (j~ncri.ll\xc2\xb7..; (O!O) dlJ.1L audil l\'l\'Jwn.\n        h7/rJl"/iliI!wll lechno!of.!..\\\' A.Jullagen/c/\'J! LCf{l\'l\' r/TAJI.)/(u\'I\'\'j" 20/fj /)//S Fimll/L\'wf\n        .)"I((h\'1IiL\'111 "/Ildit. d.lled fkt:.. : lllhcr t) .20}11. We I..\'(JJlL\'ur \\\\ ilh tho: \'\xc2\xb7irWllcilll ... ~ \'ll:m ..\n        S~nlnt~ fimlill).!,S \\.\'tll,t.. linl:d "iLlllll ~ \\Illr ~Illdi( l"\':pl In.\n\n\n            1)11;\'; (\'hi~\'f Illl\'lrtl1<Hillll ()lliL:.:r \\Cl(}) ,Int! ChIcI\' Fin,llH;ial Of!icer (CH)1 uIlllinuc 10\n        <I\'h~\n        work l\\lil1il~ in "\':lb\\lrlng thl\' lillld~ rcmedl;ll i,lll of financial ~) sh~lll Seellrll)" \\\\\'~<1l..lle\'sst:s\n        i.md :iII\'Chgtlll-,)ing tlh: I)t::parlll\\t:lll\' s in!()J\'Jllal ion :;yslCtrl:=; ct)ntfC>l::\' (I)\'i/if()nmcni. i\\lajl\'W\n        i1cti\\\'ilics illl:IIlJ~\':\n\n        \xe2\x80\xa2     ls";Ul.\'t1I!l.,!\'T ](}f(j 11/fc/"Ho{ COl/lmf I\'II/\\\'hook ,lfwuw:(\'I11{\'!1f                  A.\\\'.\'/ll"tIi/u     flmn\'.D\n             (;/Ii",\' \\\\1Jicb indud~:, IJII;,\\\' apprpudlill J\\Il\'llllh\':lllillg ami h::-;tillg !.Ill\' tksign\n             L\'J !.:c!ivl.:tll.\'sS 01 iilWKi;11 !\'.~ S!I.-\'Ill 1111; If/ll,nion I...\xc2\xb7chll"lllg~ (i..\'II..:r:r! (\'Illllro!., (/"f o(\'s).\n        o    I \xc2\xb7l,d,lk\'...! lh~\' ( H I [)(\',i~n,lll\'d ~~\'h..\'lll\' I.i:;t Il.l!" j. Y ~oln as a n:stl!t 1I1\'lh... 1"1 t.tl A\xc2\xb7\n              I" ~ ,1 ... \'t..""f11l,\'nl\' jlL\'rli.llllh:d ill I, Y .2009 \'I hl\'ji",\'pl..\'L:ilics lhl.\' lil1<.llh,:i:d s~ .,1l.:111"; lll:l!\n             rL\'ql1lr\\\' ;lddlliol1,1! l11;lll;I~l..\'lI1l\'lll :lI.:t:01l1llahilil) hi ellsure el"fcclive cOl1lrols I\'xiSI over\n              lil1,ll1L\'tall\\:P\\l!1in~.\n       ()    I k\\ I,:h\'pl,:d ;md illlplcllll.\'llh.:d 1ll1ldifil".Hillll~ to thl,,\' St:lllll\' of A~ 123 ass\\.\'ssmClll:-; fur I\xc2\xb7 Y\n             201111\\1 pcrfnrlll \\"l\'rilrl.:.ltillll ,llld \\alidathltl rrnl:l\'ourcs III ensurc Plan" 01" I\\diull and\n             \\ \\ik,,!llllL\';o;. t PC l. \\8: \\ I, I .lddn..:;..,.., n Illi C~llses or Jinancial system "l\'l..\'uril~ l.:lllllrll]\n             ddit:iclH:iL\'~ idl\'lHilicd from thl." lill,1llci~d ,tatclllcni audils and Fcdl.:r~d Illlornmlil1!l\n             Sl\'curtty .\\1unagl\'ll1tlll ;\'\\l:l (FISi\\\xc2\xb7lt\\) Ulll111ai as:"~""smcnts. V<1lidatioll and n:rificntiol1\n             (V&VI pru(:cdllrcs \\\\"cr..: p(,.~rfonllcd al till.: folliH"ing COlllpOnCtlts\xc2\xb7---U,S, Cili/,(,:llship\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 153\n\x0c                                                                                                                                               Appendix D\n                                     Department of Homeland Security\n                                 Information Technology Management Letter\n                                            September 30, 2010\n\n\n\n\n          .U1J   Immigr~lli,lll    Servi(l\'s, IlTlllllgnHiull and l\'u~I(1rns I~llrorel\'lncnt. Customs ,mel\n          ~;"\'d";:\'l\':\',lt~-:tloll, h"x!l:r;ll   LI\',\'. hHim::cm~nl \'I r;linillc Center. lh~ 01 IS \\ (:m:lI2.I.\'IllClU\n          l-\'trccWI\';l!l..\' ;11hl I \xc2\xb7.S. S(:l.:r~t Sc\\"\\\'il:!.:. \'I h.... V & V dYolls I:Ol1si."ll.\'d 1)1 ,1 tJm,,:c\xc2\xb7ph:I."\'I..\'d\n          a:\'SCSSlllcnt apIll\'tlac11:\n                      I. Assess currl\'lll :-,wt\xe2\x80\xa2\xe2\x80\xa2: bascLllln IT \\\',,!iljl\':ltipll~ of Finding::. ,Ull!\n                         RI,,\xc2\xb7l.\'UllIlIll.\'lll!alions I ~ I\xc2\xb7 Rs i ,11ld 0,\\ IB (\'irclIbr A- J 2\':; aSst:Ss1l1cnt gi1PS~\n                         Ciai 11 ulltll.\'r<.;l:lnd i lit\' t 1\\\' 1\\.\'fHl.:di,lti.. In ;1i..\xc2\xb71 i\\ j I iL\'S ;\\Jll! , llot caus~ \'1lll.l1~ .,;.,. <lDl;\n                      .l,   TC,,1 ..k-<.;lgll ,1I11.l opl..\'I"ll ill~ 1..\xc2\xb7t"lI..\'l.:li, I.:ll.:.. . " 01\' 1\\:Il1Cdlitkd COlli I \\lh.\n    \xe2\x80\xa2     IsslIcd 1111..\' I Y ~OIO 1>1 I~ Inlimllalid!l Sl.\'..:uril~ 1\\:rlill\'lll:IIlI.:C 1)I;ln \\.-vhidl indudcs the-\n          II..\'qllil\'i,,:l1ll.\'nts III \\."I1:.Ufl.\xc2\xb7 h\'~ lin\'Ill\\.\xc2\xb7i,,1 ..,~,..,L ... m sl.\'ull\'iL~ \\"IlIlLroh ure h"..,h:d ;l1lrtuall~ and\n          qu:dit.\\ PI), \\8.. ~ Is an,: tlI.:H:lop;,:d ;llld l:01l1pk\'ll\'d limd~.\n    \xe2\x80\xa2     l\',llllillLh,,:d Ir;II..\'\'\';II;= oj\' .\\- f\'::~ 11 (i{\' \\\\I..\'<\'l"lh:S\'l.\'~ Ihl"llllgh lhl.\xc2\xb7 \\\\l\'<1kl1l:ss l\'cmcdi,lIi\\)\\l\n          m~Ll\'ic 011 tIKI\' 1;-. \\ 1;\\ S..,:oree\'lrd.\n    \xe2\x80\xa2     l\'rm idL\'d 1\'( ),\\&i\\\xc2\xb7I training wllil.:h ilH:lul!l::, nlOt cause analysis 11"3illing to PI IS\n          (\'ompllllClll\'i.\n    \xe2\x80\xa2     IIlIPfl1\\l.\'d pr\\lL:l"\'\\S li}r tr:lCkll1g 1\xc2\xb71 audil rn:olllillcnd,tlioll:-i ItH dil~~iji(,\'d systems tl)\n         I..\'IlSurC Ir;Il.:~ahiliL~ to PI )"&~,ls in     Clu..,,,ifieu 1.\\1\'.\n\n     Addill\\Ill"III~ In I \\- ~l)l J. I)ll~ kl\'; L:Undlll.:lI."d individual rlS,", 8:\'iSCSsmcnts nnd r~qLJircd\n    dd,likd hri\\.,tin!-,s Frolll fill dllll{Jl.llll.:nh 1.\'l1/111ihuling ((I tIll.\' Ill<llr.:ria! \\\\l,<tkncss condilillJ1 at\n    ,hI..\' Ikp,II\'tl1h.\'IH. \'J h":l\'rinnry gnab II["lh....sl..\' Ilh.::...\' lillgS Wo..:ll.\' 10 dl.\'kl\'ll1inl.: "utili r..:adill\';~".\n    ...\xc2\xb7vllltt~ll\\.\' thl.: d"h:l.:li\\\\:n...:s:-; \\,)1\' llll\'l,;ol\'rl.\'l;li\\\xc2\xb7I.\' ;lI.:llLHIS. and Ill..-lIlify <tp.:as wll ... I\'\\.\xc2\xb7 additillilal\n    rclLl.H.:.... Gill h... r!;II..\xc2\xb7 ... d \'111 .1IIh~ll1i1k\\1 C\\lI\\lfllb\n\n    TltL: 1)1\xc2\xb71~ {TO and (\'II.> r\\."J1):llll rllll~ Ctlllllllilll\'d 10 wod\'llIg Ingdl1cf 10 SlUll\'\\.\' DI IS\n    lin<lm.:iat ... ~ <.;tt:lllS alld l.:\\llllillllC 10 rais~ 11K\' sli.mdmds 11.11\' II (;( "s I~ll\' :->I.\'l.:uring <Ill I)I!",\n    fill<llH.:l,tl ,y<.;tl.\'llI:- inlfXIlli.lllllll.\n\n    [1 ~\'llt h.I\\\\.\' ~lll.\\ lIU\\"stions      \\)1"   "\'uuld like uddiliunal Infi)lmatil)ll. ph.\'il:\'>t\' cont<\\ct                        Ellll.\'\'\'~\n    Csulai.., 1"0, Campli;IIKe Dir\\.\'l:IIJr at CW.2) 3S7-61 13 or Mkhael \\\\.\xc2\xb7L:l1\\I,)\\\\. OCTO.\n    Dircc!llr ! \\lLem"l (\' o11I,d Progr<tlll i\'v1<lna.~:;; mcnl () nicc ElL (~02) 44"-51 06.\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 154\n\x0c                                                                         Appendix E\n                       Department of Homeland Security\n                   Information Technology Management Letter\n                              September 30, 2010\n\n\n\n\n                 Report Distribution\n\n                 Department of Homeland Security\n\n                 Secretary\n                 Deputy Secretary\n                 General Counsel\n                 Chief of Staff\n                 Deputy Chief of Staff\n                 Executive Secretariat\n                 Under Secretary, Management\n                 Chief Information Officer\n                 Chief Financial Officer\n                 Chief Information Security Officer\n                 Assistant Secretary for Office of Policy\n                 Assistant Secretary for Office of Public Affairs\n                 Assistant Secretary for Office of Legislative Affairs\n                 DHS GAO OIG Audit Liaison\n                 Chief Information Officer, Audit Liaison\n\n                 Office of Management and Budget\n\n                 Chief, Homeland Security Branch\n                 DHS OIG Budget Examiner\n\n                 Congress\n\n                 Congressional Oversight and Appropriations Committees, as\n                 appropriate\n\n\n\n\nInformation Technology Management Letter for the FY 2010 Financial Statement Audit\n                                   Page 155\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'